tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: [OT] Protecting against HTTP response splitting
Date Wed, 20 Apr 2011 15:56:57 GMT
2011/4/20 Christopher Schultz <chris@christopherschultz.net>:
>
> I was considering scouring the URL/URI specs for exactly what characters
> are allowed but then decided that I didn't really care: I was mostly
> concerned with thwarting a response-splitting attack and avoiding \r and
> \n does that.

See HTTP spec on what is allowed in headers.

>
> This isn't intended to be an outgoing HTTP header value validator.
>
> Technically, this is over-engineered because it looks for /either/ \r
> /or/ \n, rather than \r\n which should be the only way to exploit such a
> vulnerability. :)
>

You are wrong. This way is not the only one.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message