Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 8155 invoked from network); 1 Apr 2011 05:50:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 1 Apr 2011 05:50:14 -0000 Received: (qmail 72107 invoked by uid 500); 1 Apr 2011 05:50:11 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 72052 invoked by uid 500); 1 Apr 2011 05:50:08 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 72038 invoked by uid 99); 1 Apr 2011 05:50:03 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Apr 2011 05:50:03 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of rosenberg.leon@gmail.com designates 209.85.210.173 as permitted sender) Received: from [209.85.210.173] (HELO mail-iy0-f173.google.com) (209.85.210.173) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Apr 2011 05:49:56 +0000 Received: by iym10 with SMTP id 10so4289064iym.18 for ; Thu, 31 Mar 2011 22:49:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=N7T5qwV5b3n/hhqdqfFgaXj1DzRnn/gx1VNXAT4Sl64=; b=wLlzy9Cm7jD1oxbbN9Av7bWJrzia+uuEd3k4F4R0Hv9MXkQkGkSf2bTdqt5GwKFwaR YDYaL74DYEpF2CgLkgkZaE48bfcK7ZbpQtLuSyjT47viDqcDxmOTlzFQ23puLuhD78pQ KTsw04KHzozXGKCp8FyQCUg30Oo6IOnng+JCA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=ZH8MYUzlhu20T6Bdf2crtfS1P8KqmWVPLxNBSL/m6O7tey/oATCHwvDm9jsfZaBy9Z h5sKoGq64rKJHXIa4prwS+UDtu3cgKhoSvcfIcDmqfxi00nX9iNlbsNkfu9SfDGv8RFm eULQVvVR2A8R5ygNUxNWhZst5CuQBweW9ZSQ0= MIME-Version: 1.0 Received: by 10.43.58.199 with SMTP id wl7mr4585676icb.58.1301636975018; Thu, 31 Mar 2011 22:49:35 -0700 (PDT) Received: by 10.42.135.138 with HTTP; Thu, 31 Mar 2011 22:49:35 -0700 (PDT) In-Reply-To: <4D951A7E.3020304@christopherschultz.net> References: <4D938E98.6050005@christopherschultz.net> <1717038681.59.1301569533854.JavaMail.tomcat@localhost> <4D951A7E.3020304@christopherschultz.net> Date: Fri, 1 Apr 2011 07:49:35 +0200 Message-ID: Subject: Re: [OT] Protecting against HTTP response splitting From: Leon Rosenberg To: Tomcat Users List Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org On Fri, Apr 1, 2011 at 2:21 AM, Christopher Schultz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Ronald, > > On 3/31/2011 7:05 AM, Ronald Klop wrote: >> I would say that some proper input validation solves your problem. >> Does new URL(redirectURL).toString() give an exception on invalid url's? > > new URL(String) will throw a MalformedURLException if there are illegal > characters in the URL. > This will work for 'correct urls', however, you don't necessary need to send correct urls, and I suppose you don't want to: Consider this, struts1 like action: public ActionForward execute(ActionMapping mapping, FormBean bean, HttpServletRequest req, HttpServletResponse res) throws Exception { //do something.... useful res.sendRedirect("pageResult?page=1"); return null; } This is not a syntactically correct url, but it will work in all browsers and save you a lot of stress in multi-url (i18n) portals. I would solve your problem by having multiple entry points for the actions which than can specify the final redirect path. regards Leon --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org