-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sebb,
Just saw your response from a few weeks back... (and responded directly instead of to the list.. it's been a long day). On 4/1/2011 6:16 PM, sebb wrote: > I may be missing something here, but can't you use the ctor: > > URL(URL context, String spec) > > and pass in a dummy context with a suitable protocol? Maybe. The URL may or may not be fully-qualified, relative, etc. I'm leaning more towards just protecting against control characters in a header: there's no need to do a complete URL-parse to check for response splitting. A simple filter that wraps the response and overrides either sendRedirect or setHeader(String, String) should do it. I'd have to check to see how the two interact... whether calling sendRedirect on a wrapped response will also set the header on the wrapped response or set the header at a higher level where the wrapper won't get called. I'll post whatever I come up with. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2s6o8ACgkQ9CaO5/Lv0PDikgCgtGkHVIGl1mJwIAXBiQ4V0qq8 auUAoIoIrsaH8LHn+U/pEVbFQK09y71D =AMLs -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org