* Prevent response splitting vulnerability reported by Paul Alexandrow

on helma-dev: Also fix res.setCookie() and add comments.
2007-11-13 14:30:05 +00:00 · 2007-11-13 14:30:05 +00:00 · ae83283fc5
commit ae83283fc5
parent 2721d55139
1 changed files with 7 additions and 0 deletions
--- a/src/helma/framework/ResponseTrans.java
+++ b/src/helma/framework/ResponseTrans.java
@ -442,6 +442,7 @@ public final class ResponseTrans extends Writer implements Serializable {
     * @throws RedirectException ...
     */
    public void redirect(String url) throws RedirectException {
+        // remove newline chars to prevent response splitting attack
        redir = url == null ?
                null : url.replaceAll("[\r\n]", "");
        throw new RedirectException(redir);
@ -464,6 +465,7 @@ public final class ResponseTrans extends Writer implements Serializable {
     * @throws RedirectException ...
     */
    public void forward(String url) throws RedirectException {
+        // remove newline chars to prevent response splitting attack
        forward = url == null ?
                null : url.replaceAll("[\r\n]", "");
        throw new RedirectException(forward);
@ -925,6 +927,11 @@ public final class ResponseTrans extends Writer implements Serializable {
            c = (CookieTrans) cookies.get(key);
        }

+        // remove newline chars to prevent response splitting attack
+        if (value != null) {
+            value = value.replaceAll("[\r\n]", "");
+        }
+
        if (c == null) {
            c = new CookieTrans(key, value);
            cookies.put(key, c);