2011/4/20 Christopher Schultz <ch...@christopherschultz.net>: > > I was considering scouring the URL/URI specs for exactly what characters > are allowed but then decided that I didn't really care: I was mostly > concerned with thwarting a response-splitting attack and avoiding \r and > \n does that.
See HTTP spec on what is allowed in headers. > > This isn't intended to be an outgoing HTTP header value validator. > > Technically, this is over-engineered because it looks for /either/ \r > /or/ \n, rather than \r\n which should be the only way to exploit such a > vulnerability. :) > You are wrong. This way is not the only one. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org