On 04/09/2011 05:54, Nadav Katz wrote:
> Hi All!
>
> First, let me assure everyone that I am not a hacker, exactly the
> opposite, but I have a related problem. I am in the process of
> implementing code that protects against header manipulation. I
> created a filter that strips line feed and carriage return characters
> from requests to avoid header splitting.
Something doesn't add up here. Your filter is meant to be filtering
requests (one wonders how it differentiates between legitimate headers
and injected ones) yet your code is trying to inject headers into the
response. I assume that you mean "response" when you write "request".
> The thing is, I want to test
> it, and can't recreate the issue with Tomcat.
>
> When I insert this code in my jsp:
>
> String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not
> found\r\n...";
>
> response.setHeader("Set-Cookie", attack);
>
> The returned request is returned like this:
>
>
>
> Set-Cookie: author=Wiley Hacker HTTP/1.1 404 Page not found
> ...\r\n
>
> As you can see all the CRLF have been replaced with whitespaces. I'm
> assuming Tomcat is doing this, but I can't find where, even after
> looking through the code and reading the documentation.
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?view=annotate
Line 709 onwards.
> Does anyone know anything about this?
Clearly.
> Is there any way to turn this off?
There is no configuration option to disable this, nor will one ever be
provided. You are, of course, free to modify the source code locally and
re-build Tomcat.
> I can't test my code when it's in place. Alternatively if anyone has any
> other solution as to how to test it, I would be most grateful.
Are you sure this is even a problem that needs fixing? Which containers
don't already provide this filtering?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
