tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nadav Katz <nadav.k...@oracle.com>
Subject CRLF Stripped in Tomcat Response Header
Date Sun, 04 Sep 2011 04:54:23 GMT
Hi All!

First, let me assure everyone that I am not a hacker, exactly the opposite, but I have a related
problem. I am in the process of implementing code that protects against header manipulation.
I created a filter that strips line feed and carriage return characters from requests to avoid
header splitting. The thing is, I want to test it, and can't recreate the issue with Tomcat.


When I insert this code in my jsp:

 

String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not found\r\n...";

response.setHeader("Set-Cookie", attack);  

 

The returned request is returned like this:

 

Set-Cookie: author=Wiley Hacker  HTTP/1.1 404 Page not found  ...\r\n

 

As you can see all the CRLF have been replaced with whitespaces. I'm assuming Tomcat is doing
this, but I can't find where, even after looking through the code and reading the documentation.
Does anyone know anything about this? Is there any way to turn this off? I can't test my code
when it's in place. Alternatively if anyone has any other solution as to how to test it, I
would be most grateful.

Thanks!

Btw, I'm using Tomcat 6.0.32 

 

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message