Hi, please create a issue.
2015-07-21 9:13 GMT+02:00 Ortwin Escher <[email protected]>: > Hello, > > As wished to the developers list: > > The JsfUtils used in DeltaSpike URLEncode the values but not the keys. > This allows header injection (see > https://www.owasp.org/index.php/HTTP_Response_Splitting for more info on > this attack type). As an example if I open a page without window ID and > thus have a redirect by DefaultClientWindow.getOrCreateWindowId() in it: > > /somepage.xhtml?%0aSet-Cookie:%20newcookie%3Dinjectme%0a > > will cause the key side to be an unescaped part of the redirect URL and > thus cause the cookie to be set. the encodeValues parameter should also > cause the keys to be encoded as well. > > Regards > > Ortwin Escher > > Fachreferent, Fahrzeug IT, VC-M1 > > IAV GmbH > Rockwellstrasse 16 > 38518 GIFHORN > GERMANY > > Internet: http://www.iav.com > > Sitz/Registered Office: Berlin, > Registergericht/Registration Court: Amtsgericht Charlottenburg, > Registernummer/Company Registration Number: HRB 21 280, > Geschäftsführer/Managing Directors: Kurt Blumenröder, Michael Schubert, > Olaf Kupke > Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dr. > Harald Ludanek
