antville/helma
antville/helma
1
1
Fork 0
Code Issues 5 Pull requests 5 Projects Releases 5 Activity Actions

* Prevent response splitting vulnerability reported by Paul Alexandrow

Browse source 
on helma-dev: Also fix res.setCookie() and add comments.
This commit is contained in:
hns 2007-11-13 14:30:05 +00:00
parent 2721d55139
commit ae83283fc5
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/helma/framework/ResponseTrans.java
View file

@ -442,6 +442,7 @@ public final class ResponseTrans extends Writer implements Serializable {
* @throws RedirectException ... * @throws RedirectException ...
*/ */
public void redirect(String url) throws RedirectException { public void redirect(String url) throws RedirectException {
// remove newline chars to prevent response splitting attack
redir = url == null ? redir = url == null ?
null : url.replaceAll("[\r\n]", ""); null : url.replaceAll("[\r\n]", "");
throw new RedirectException(redir); throw new RedirectException(redir);
@ -464,6 +465,7 @@ public final class ResponseTrans extends Writer implements Serializable {
* @throws RedirectException ... * @throws RedirectException ...
*/ */
public void forward(String url) throws RedirectException { public void forward(String url) throws RedirectException {
// remove newline chars to prevent response splitting attack
forward = url == null ? forward = url == null ?
null : url.replaceAll("[\r\n]", ""); null : url.replaceAll("[\r\n]", "");
throw new RedirectException(forward); throw new RedirectException(forward);
@ -925,6 +927,11 @@ public final class ResponseTrans extends Writer implements Serializable {
c = (CookieTrans) cookies.get(key); c = (CookieTrans) cookies.get(key);
} }
// remove newline chars to prevent response splitting attack
if (value != null) {
value = value.replaceAll("[\r\n]", "");
}
if (c == null) { if (c == null) {
c = new CookieTrans(key, value); c = new CookieTrans(key, value);
cookies.put(key, c); cookies.put(key, c);