tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nadav Katz <>
Subject RE: CRLF Stripped in Tomcat Response Header
Date Sun, 04 Sep 2011 11:16:52 GMT
Sorry Mark, I just noticed your input regarding the filter. 
I am really only worried about attackers tampering with request headers. The reason is that
we may have (now or in the future) code that gets request headers and inserts them to the
response. Since I know I never expect request headers to contain any illegal characters like
the ones you are blocking, I believe I am safe enough stripping them from requests without
even worrying about the authenticity of the header. If you think there is a flaw in my logic
I would be very happy if you could elaborate, since I am new to the this world.
The specific code I posted was only for testing purposes. I was analyzing network traffic
and kept seeing the line carriages dropped. My full intention was to create code that takes
a header from the request and sets it in the response. Then I planned to send a request with
said header manipulated with attack code (using an interceptor). Again, any input you might
have would be welcome. 
Thanks Again,

-----Original Message-----
From: Mark Thomas [] 
Sent: Sunday, September 04, 2011 12:58 PM
To: Tomcat Users List
Subject: Re: CRLF Stripped in Tomcat Response Header

On 04/09/2011 05:54, Nadav Katz wrote:
> Hi All!
> First, let me assure everyone that I am not a hacker, exactly the
> opposite, but I have a related problem. I am in the process of
> implementing code that protects against header manipulation. I
> created a filter that strips line feed and carriage return characters
> from requests to avoid header splitting.

Something doesn't add up here. Your filter is meant to be filtering
requests (one wonders how it differentiates between legitimate headers
and injected ones) yet your code is trying to inject headers into the
response. I assume that you mean "response" when you write "request".

> The thing is, I want to test
> it, and can't recreate the issue with Tomcat.
> When I insert this code in my jsp:
> String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not
> found\r\n...";
> response.setHeader("Set-Cookie", attack);
> The returned request is returned like this:
> Set-Cookie: author=Wiley Hacker  HTTP/1.1 404 Page not found
> ...\r\n
> As you can see all the CRLF have been replaced with whitespaces. I'm
> assuming Tomcat is doing this, but I can't find where, even after
> looking through the code and reading the documentation.
Line 709 onwards.

> Does anyone know anything about this?


> Is there any way to turn this off?

There is no configuration option to disable this, nor will one ever be
provided. You are, of course, free to modify the source code locally and
re-build Tomcat.

> I can't test my code when it's in place. Alternatively if anyone has any
> other solution as to how to test it, I would be most grateful.

Are you sure this is even a problem that needs fixing? Which containers
don't already provide this filtering?


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message