tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nadav Katz <>
Subject CRLF Stripped in Tomcat Response Header
Date Sun, 04 Sep 2011 04:54:23 GMT
Hi All!

First, let me assure everyone that I am not a hacker, exactly the opposite, but I have a related
problem. I am in the process of implementing code that protects against header manipulation.
I created a filter that strips line feed and carriage return characters from requests to avoid
header splitting. The thing is, I want to test it, and can't recreate the issue with Tomcat.

When I insert this code in my jsp:


String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not found\r\n...";

response.setHeader("Set-Cookie", attack);  


The returned request is returned like this:


Set-Cookie: author=Wiley Hacker  HTTP/1.1 404 Page not found  ...\r\n


As you can see all the CRLF have been replaced with whitespaces. I'm assuming Tomcat is doing
this, but I can't find where, even after looking through the code and reading the documentation.
Does anyone know anything about this? Is there any way to turn this off? I can't test my code
when it's in place. Alternatively if anyone has any other solution as to how to test it, I
would be most grateful.


Btw, I'm using Tomcat 6.0.32 


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message