-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ronald,
On 3/31/2011 7:05 AM, Ronald Klop wrote: > Op woensdag, 30 maart 2011 22:12 schreef Christopher Schultz >> >> response.sendRedirect(request.getParameter("returnURL")); >> >> Aside from not running the redirect through response.encodeRedirectURL, >> there's another potential problem, there: the user can specify a return >> URL that breaks the HTTP response and can do some evil things. I >> verified that I can break my own response in this way by adding "%0d%0a" >> and then more stuff to my "returnURL" parameter and I magically escaped >> the "Location" header of the response. > > I would say that some proper input validation solves your problem. > Does new URL(redirectURL).toString() give an exception on invalid url's? I hadn't thought of using the URL class... I'll check that out and let you know. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2UjbsACgkQ9CaO5/Lv0PBE7QCfV77tnlhrugrclpMnbCcgtXXf NkQAmwSVAposD625LWo253f6Au3rxaKr =tOxL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org