-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sebb,
Just saw your response from a few weeks back... (and responded directly
instead of to the list.. it's been a long day).
On 4/1/2011 6:16 PM, sebb wrote:
> I may be missing something here, but can't you use the ctor:
>
> URL(URL context, String spec)
>
> and pass in a dummy context with a suitable protocol?
Maybe. The URL may or may not be fully-qualified, relative, etc.
I'm leaning more towards just protecting against control characters in a
header: there's no need to do a complete URL-parse to check for response
splitting.
A simple filter that wraps the response and overrides either
sendRedirect or setHeader(String, String) should do it.
I'd have to check to see how the two interact... whether calling
sendRedirect on a wrapped response will also set the header on the
wrapped response or set the header at a higher level where the wrapper
won't get called.
I'll post whatever I come up with.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2s6o8ACgkQ9CaO5/Lv0PDikgCgtGkHVIGl1mJwIAXBiQ4V0qq8
auUAoIoIrsaH8LHn+U/pEVbFQK09y71D
=AMLs
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|