On 04/09/2011 12:16, Nadav Katz wrote: > Sorry Mark, I just noticed your input regarding the filter. I am > really only worried about attackers tampering with request headers. > The reason is that we may have (now or in the future) code that gets > request headers and inserts them to the response.
OK. > Since I know I > never expect request headers to contain any illegal characters like > the ones you are blocking, I believe I am safe enough stripping them > from requests without even worrying about the authenticity of the > header. If you think there is a flaw in my logic I would be very > happy if you could elaborate, since I am new to the this world. It is impossible for \r or \n to appear in a request header value since those characters are used to signal the end of a header line. > The > specific code I posted was only for testing purposes. I was analyzing > network traffic and kept seeing the line carriages dropped. My full > intention was to create code that takes a header from the request and > sets it in the response. Then I planned to send a request with said > header manipulated with attack code (using an interceptor). Again, > any input you might have would be welcome. Thanks Again, Nadav I don't think the attack you are describing can possibly succeed. Mark > > -----Original Message----- From: Mark Thomas > [mailto:ma...@apache.org] Sent: Sunday, September 04, 2011 12:58 PM > To: Tomcat Users List Subject: Re: CRLF Stripped in Tomcat Response > Header > > On 04/09/2011 05:54, Nadav Katz wrote: >> Hi All! >> >> First, let me assure everyone that I am not a hacker, exactly the >> opposite, but I have a related problem. I am in the process of >> implementing code that protects against header manipulation. I >> created a filter that strips line feed and carriage return >> characters from requests to avoid header splitting. > > Something doesn't add up here. Your filter is meant to be filtering > requests (one wonders how it differentiates between legitimate > headers and injected ones) yet your code is trying to inject headers > into the response. I assume that you mean "response" when you write > "request". > >> The thing is, I want to test it, and can't recreate the issue with >> Tomcat. >> >> When I insert this code in my jsp: >> >> String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not >> found\r\n..."; >> >> response.setHeader("Set-Cookie", attack); >> >> The returned request is returned like this: >> >> >> >> Set-Cookie: author=Wiley Hacker HTTP/1.1 404 Page not found >> ...\r\n >> >> As you can see all the CRLF have been replaced with whitespaces. >> I'm assuming Tomcat is doing this, but I can't find where, even >> after looking through the code and reading the documentation. > > > http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?view=annotate > > Line 709 onwards. > >> Does anyone know anything about this? > > Clearly. > >> Is there any way to turn this off? > > There is no configuration option to disable this, nor will one ever > be provided. You are, of course, free to modify the source code > locally and re-build Tomcat. > >> I can't test my code when it's in place. Alternatively if anyone >> has any other solution as to how to test it, I would be most >> grateful. > > Are you sure this is even a problem that needs fixing? Which > containers don't already provide this filtering? > > Mark > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
