Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B4F74F95 for ; Wed, 20 Apr 2011 14:18:11 +0000 (UTC) Received: (qmail 32191 invoked by uid 500); 20 Apr 2011 14:10:50 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 32145 invoked by uid 500); 20 Apr 2011 14:10:49 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 32136 invoked by uid 99); 20 Apr 2011 14:10:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Apr 2011 14:10:49 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [76.96.27.212] (HELO qmta14.emeryville.ca.mail.comcast.net) (76.96.27.212) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Apr 2011 14:10:43 +0000 Received: from omta07.emeryville.ca.mail.comcast.net ([76.96.30.59]) by qmta14.emeryville.ca.mail.comcast.net with comcast id Zq4G1g0051GXsucAEqANeH; Wed, 20 Apr 2011 14:10:22 +0000 Received: from [192.168.1.201] ([69.143.109.145]) by omta07.emeryville.ca.mail.comcast.net with comcast id ZqAL1g01x38FjT18UqAN5L; Wed, 20 Apr 2011 14:10:22 +0000 Message-ID: <4DAEE94D.8080704@christopherschultz.net> Date: Wed, 20 Apr 2011 10:10:21 -0400 From: Christopher Schultz User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: [OT] Protecting against HTTP response splitting References: <4D938E98.6050005@christopherschultz.net> <1717038681.59.1301569533854.JavaMail.tomcat@localhost> <4D951A7E.3020304@christopherschultz.net> <4D95E60B.6080706@christopherschultz.net> <4DACEA8F.5000000@christopherschultz.net> <4DACEBA8.30408@christopherschultz.net> In-Reply-To: X-Enigmail-Version: 1.2a1pre Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Konstantin, On 4/19/2011 4:37 AM, Konstantin Kolinko wrote: > 2011/4/19 Christopher Schultz : >> >> Looks like I must override sendRedirect because otherwise the setHeader >> call implemented in Response.sendRedirect isn't intercepted by the >> wrapper class. >> >> For those interested, see below for the implementation I came up with. >> > >> if(containsCRorLF(value)) >> throw new IllegalArgumentException("Header value must >> not contain CR or LF characters"); > > It would be better to check that all characters are correct ones rather > than check for two specific incorrect characters. > > Checking for \r \n only might be not enough. Though that depends on > where the value comes from. I was considering scouring the URL/URI specs for exactly what characters are allowed but then decided that I didn't really care: I was mostly concerned with thwarting a response-splitting attack and avoiding \r and \n does that. This isn't intended to be an outgoing HTTP header value validator. Technically, this is over-engineered because it looks for /either/ \r /or/ \n, rather than \r\n which should be the only way to exploit such a vulnerability. :) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2u6U0ACgkQ9CaO5/Lv0PCvdACgjm/Q/3IrBC318Bb0wi+WDjee v78AoLjj9uj6mDiRWik8WV/3pQWqDXiB =IgDT -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org