Jim Manico wrote:
I'm continuing to do a security review of Tomcat 5.5 for my company. I
noticed that linefeeds get ripped out of header values which stops
header injection attacks cold. Whoever did this, I commend you. Many
other containers do not. You Rock.
InternalInputBuffer.java
InternalAprInputBuffer.java
InternalNioInputBuffer.java
just search for parseHeaders
the two first classes are similar, the third one is almost similar,
except that it supports non blocking parsing of headers
Filip
Can anyone point me to the code that does this?
Best,
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
