Re: [OT] Protecting against HTTP response splitting

Thu, 31 Mar 2011 04:06:03 -0700 



Op woensdag, 30 maart 2011 22:12 schreef Christopher Schultz 
<ch...@christopherschultz.net>:



  
 -----BEGIN PGP SIGNED MESSAGE-----

 Hash: SHA1

 
 All,
 
 I was playing around with findbugs today and saw a security warning I've

 never seen before: "HTTP parameter directly written to HTTP header
 output in [somefile.java]".

 
 I read a bit more into it and the warning was correct, I was doing

 something akin to the following:

 
 response.sendRedirect(request.getParameter("returnURL"));
 
 Aside from not running the redirect through response.encodeRedirectURL,

 there's another potential problem, there: the user can specify a return
 URL that breaks the HTTP response and can do some evil things. I
 verified that I can break my own response in this way by adding "%0d%0a"
 and then more stuff to my "returnURL" parameter and I magically escaped
 the "Location" header of the response.

 
 The suggested mitigation is to URL-encode the value before putting it

 into the header.

 
 I was wondering if anyone was doing anything like this and has a

 suggestion for allowing the UI to control it's own "return to" URLs in a
 safe way. We'd like to use returnURL values that allow for query
 parameters to be passed-back to the target URL so we can't just blindly
 URL-encode the URL otherwise those parameters will become part of the
 URL and not the query string.

 
 I suppose I could also just look for and replace whitespace, which is

 not legal in a URL anyway.

 
 Any other thoughts of suggestions?
 
 - -chris

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 
 iEYEARECAAYFAk2TjpgACgkQ9CaO5/Lv0PDAwQCfa8sSdRzAE7ZNjv0P1s/qD95L

 FGEAnjA8ZbobU/8s90lE2huLx/+B2smV
 =vJ6w
 -----END PGP SIGNATURE-----

 
 ---------------------------------------------------------------------

 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

  
 




  

I would say that some proper input validation solves your problem.
Does new URL(redirectURL).toString() give an exception on invalid url's?

Ronald.





















					Reply via email to