tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: [OT] Protecting against HTTP response splitting
Date Tue, 19 Apr 2011 08:37:19 GMT
2011/4/19 Christopher Schultz <>:
> Looks like I must override sendRedirect because otherwise the setHeader
> call implemented in Response.sendRedirect isn't intercepted by the
> wrapper class.
> For those interested, see below for the implementation I came up with.

>            if(containsCRorLF(value))
>                throw new IllegalArgumentException("Header value must
> not contain CR or LF characters");

It would be better to check that all characters are correct ones rather
than check for two specific incorrect characters.

Checking for \r \n only might be not enough. Though that depends on
where the value comes from.

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message