On 04/09/2011 12:16, Nadav Katz wrote:
> Sorry Mark, I just noticed your input regarding the filter. I am
> really only worried about attackers tampering with request headers.
> The reason is that we may have (now or in the future) code that gets
> request headers and inserts them to the response.
OK.
> Since I know I
> never expect request headers to contain any illegal characters like
> the ones you are blocking, I believe I am safe enough stripping them
> from requests without even worrying about the authenticity of the
> header. If you think there is a flaw in my logic I would be very
> happy if you could elaborate, since I am new to the this world.
It is impossible for \r or \n to appear in a request header value since
those characters are used to signal the end of a header line.
> The
> specific code I posted was only for testing purposes. I was analyzing
> network traffic and kept seeing the line carriages dropped. My full
> intention was to create code that takes a header from the request and
> sets it in the response. Then I planned to send a request with said
> header manipulated with attack code (using an interceptor). Again,
> any input you might have would be welcome. Thanks Again, Nadav
I don't think the attack you are describing can possibly succeed.
Mark
>
> -----Original Message----- From: Mark Thomas
> [mailto:markt@apache.org] Sent: Sunday, September 04, 2011 12:58 PM
> To: Tomcat Users List Subject: Re: CRLF Stripped in Tomcat Response
> Header
>
> On 04/09/2011 05:54, Nadav Katz wrote:
>> Hi All!
>>
>> First, let me assure everyone that I am not a hacker, exactly the
>> opposite, but I have a related problem. I am in the process of
>> implementing code that protects against header manipulation. I
>> created a filter that strips line feed and carriage return
>> characters from requests to avoid header splitting.
>
> Something doesn't add up here. Your filter is meant to be filtering
> requests (one wonders how it differentiates between legitimate
> headers and injected ones) yet your code is trying to inject headers
> into the response. I assume that you mean "response" when you write
> "request".
>
>> The thing is, I want to test it, and can't recreate the issue with
>> Tomcat.
>>
>> When I insert this code in my jsp:
>>
>> String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not
>> found\r\n...";
>>
>> response.setHeader("Set-Cookie", attack);
>>
>> The returned request is returned like this:
>>
>>
>>
>> Set-Cookie: author=Wiley Hacker HTTP/1.1 404 Page not found
>> ...\r\n
>>
>> As you can see all the CRLF have been replaced with whitespaces.
>> I'm assuming Tomcat is doing this, but I can't find where, even
>> after looking through the code and reading the documentation.
>
>
> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?view=annotate
>
>
Line 709 onwards.
>
>> Does anyone know anything about this?
>
> Clearly.
>
>> Is there any way to turn this off?
>
> There is no configuration option to disable this, nor will one ever
> be provided. You are, of course, free to modify the source code
> locally and re-build Tomcat.
>
>> I can't test my code when it's in place. Alternatively if anyone
>> has any other solution as to how to test it, I would be most
>> grateful.
>
> Are you sure this is even a problem that needs fixing? Which
> containers don't already provide this filtering?
>
> Mark
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|