-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Konstantin,
On 4/19/2011 4:37 AM, Konstantin Kolinko wrote: > 2011/4/19 Christopher Schultz <ch...@christopherschultz.net>: >> >> Looks like I must override sendRedirect because otherwise the setHeader >> call implemented in Response.sendRedirect isn't intercepted by the >> wrapper class. >> >> For those interested, see below for the implementation I came up with. >> > >> if(containsCRorLF(value)) >> throw new IllegalArgumentException("Header value must >> not contain CR or LF characters"); > > It would be better to check that all characters are correct ones rather > than check for two specific incorrect characters. > > Checking for \r \n only might be not enough. Though that depends on > where the value comes from. I was considering scouring the URL/URI specs for exactly what characters are allowed but then decided that I didn't really care: I was mostly concerned with thwarting a response-splitting attack and avoiding \r and \n does that. This isn't intended to be an outgoing HTTP header value validator. Technically, this is over-engineered because it looks for /either/ \r /or/ \n, rather than \r\n which should be the only way to exploit such a vulnerability. :) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2u6U0ACgkQ9CaO5/Lv0PCvdACgjm/Q/3IrBC318Bb0wi+WDjee v78AoLjj9uj6mDiRWik8WV/3pQWqDXiB =IgDT -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org