tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: [OT] Protecting against HTTP response splitting
Date Wed, 20 Apr 2011 15:56:57 GMT
2011/4/20 Christopher Schultz <>:
> I was considering scouring the URL/URI specs for exactly what characters
> are allowed but then decided that I didn't really care: I was mostly
> concerned with thwarting a response-splitting attack and avoiding \r and
> \n does that.

See HTTP spec on what is allowed in headers.

> This isn't intended to be an outgoing HTTP header value validator.
> Technically, this is over-engineered because it looks for /either/ \r
> /or/ \n, rather than \r\n which should be the only way to exploit such a
> vulnerability. :)

You are wrong. This way is not the only one.

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message