Sorry Mark, I just noticed your input regarding the filter. I am really only worried about attackers tampering with request headers. The reason is that we may have (now or in the future) code that gets request headers and inserts them to the response. Since I know I never expect request headers to contain any illegal characters like the ones you are blocking, I believe I am safe enough stripping them from requests without even worrying about the authenticity of the header. If you think there is a flaw in my logic I would be very happy if you could elaborate, since I am new to the this world. The specific code I posted was only for testing purposes. I was analyzing network traffic and kept seeing the line carriages dropped. My full intention was to create code that takes a header from the request and sets it in the response. Then I planned to send a request with said header manipulated with attack code (using an interceptor). Again, any input you might have would be welcome. Thanks Again, Nadav
-----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Sunday, September 04, 2011 12:58 PM To: Tomcat Users List Subject: Re: CRLF Stripped in Tomcat Response Header On 04/09/2011 05:54, Nadav Katz wrote: > Hi All! > > First, let me assure everyone that I am not a hacker, exactly the > opposite, but I have a related problem. I am in the process of > implementing code that protects against header manipulation. I > created a filter that strips line feed and carriage return characters > from requests to avoid header splitting. Something doesn't add up here. Your filter is meant to be filtering requests (one wonders how it differentiates between legitimate headers and injected ones) yet your code is trying to inject headers into the response. I assume that you mean "response" when you write "request". > The thing is, I want to test > it, and can't recreate the issue with Tomcat. > > When I insert this code in my jsp: > > String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not > found\r\n..."; > > response.setHeader("Set-Cookie", attack); > > The returned request is returned like this: > > > > Set-Cookie: author=Wiley Hacker HTTP/1.1 404 Page not found > ...\r\n > > As you can see all the CRLF have been replaced with whitespaces. I'm > assuming Tomcat is doing this, but I can't find where, even after > looking through the code and reading the documentation. http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?view=annotate Line 709 onwards. > Does anyone know anything about this? Clearly. > Is there any way to turn this off? There is no configuration option to disable this, nor will one ever be provided. You are, of course, free to modify the source code locally and re-build Tomcat. > I can't test my code when it's in place. Alternatively if anyone has any > other solution as to how to test it, I would be most grateful. Are you sure this is even a problem that needs fixing? Which containers don't already provide this filtering? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
