tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: CRLF Stripped in Tomcat Response Header
Date Sun, 04 Sep 2011 12:10:21 GMT
On 04/09/2011 12:16, Nadav Katz wrote:
> Sorry Mark, I just noticed your input regarding the filter. I am
> really only worried about attackers tampering with request headers.
> The reason is that we may have (now or in the future) code that gets
> request headers and inserts them to the response.

OK.

> Since I know I
> never expect request headers to contain any illegal characters like
> the ones you are blocking, I believe I am safe enough stripping them
> from requests without even worrying about the authenticity of the
> header. If you think there is a flaw in my logic I would be very
> happy if you could elaborate, since I am new to the this world.

It is impossible for \r or \n to appear in a request header value since
those characters are used to signal the end of a header line.

> The
> specific code I posted was only for testing purposes. I was analyzing
> network traffic and kept seeing the line carriages dropped. My full
> intention was to create code that takes a header from the request and
> sets it in the response. Then I planned to send a request with said
> header manipulated with attack code (using an interceptor). Again,
> any input you might have would be welcome. Thanks Again, Nadav

I don't think the attack you are describing can possibly succeed.

Mark

> 
> -----Original Message----- From: Mark Thomas
> [mailto:markt@apache.org] Sent: Sunday, September 04, 2011 12:58 PM 
> To: Tomcat Users List Subject: Re: CRLF Stripped in Tomcat Response
> Header
> 
> On 04/09/2011 05:54, Nadav Katz wrote:
>> Hi All!
>> 
>> First, let me assure everyone that I am not a hacker, exactly the 
>> opposite, but I have a related problem. I am in the process of 
>> implementing code that protects against header manipulation. I 
>> created a filter that strips line feed and carriage return
>> characters from requests to avoid header splitting.
> 
> Something doesn't add up here. Your filter is meant to be filtering 
> requests (one wonders how it differentiates between legitimate
> headers and injected ones) yet your code is trying to inject headers
> into the response. I assume that you mean "response" when you write
> "request".
> 
>> The thing is, I want to test it, and can't recreate the issue with
>> Tomcat.
>> 
>> When I insert this code in my jsp:
>> 
>> String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not 
>> found\r\n...";
>> 
>> response.setHeader("Set-Cookie", attack);
>> 
>> The returned request is returned like this:
>> 
>> 
>> 
>> Set-Cookie: author=Wiley Hacker  HTTP/1.1 404 Page not found 
>> ...\r\n
>> 
>> As you can see all the CRLF have been replaced with whitespaces.
>> I'm assuming Tomcat is doing this, but I can't find where, even
>> after looking through the code and reading the documentation.
> 
> 
> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?view=annotate
>
> 
Line 709 onwards.
> 
>> Does anyone know anything about this?
> 
> Clearly.
> 
>> Is there any way to turn this off?
> 
> There is no configuration option to disable this, nor will one ever
> be provided. You are, of course, free to modify the source code
> locally and re-build Tomcat.
> 
>> I can't test my code when it's in place. Alternatively if anyone
>> has any other solution as to how to test it, I would be most
>> grateful.
> 
> Are you sure this is even a problem that needs fixing? Which
> containers don't already provide this filtering?
> 
> Mark
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message