-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ronald,
On 3/31/2011 7:05 AM, Ronald Klop wrote:
> Op woensdag, 30 maart 2011 22:12 schreef Christopher Schultz
>>
>> response.sendRedirect(request.getParameter("returnURL"));
>>
>> Aside from not running the redirect through response.encodeRedirectURL,
>> there's another potential problem, there: the user can specify a return
>> URL that breaks the HTTP response and can do some evil things. I
>> verified that I can break my own response in this way by adding "%0d%0a"
>> and then more stuff to my "returnURL" parameter and I magically escaped
>> the "Location" header of the response.
>
> I would say that some proper input validation solves your problem.
> Does new URL(redirectURL).toString() give an exception on invalid url's?
I hadn't thought of using the URL class... I'll check that out and let
you know.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2UjbsACgkQ9CaO5/Lv0PBE7QCfV77tnlhrugrclpMnbCcgtXXf
NkQAmwSVAposD625LWo253f6Au3rxaKr
=tOxL
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
