From 5c4596a0c58f380c72b71397a58bc1dcbdedc301 Mon Sep 17 00:00:00 2001
From: David Christensen <david@endpoint.com>
Date: Mon, 22 Mar 2010 17:29:22 -0500
Subject: [PATCH] Fix "HTTP Response Splitting" security exploit

Discovery and patch from Justin Otten <justin.otten@gmail.com>:

Added new method to Util.pm for scrubbing newlines from header data.
Updated all discovered instances of the use of the "Location" header
ran the URL through the routine.
---
 code/SystemTag/deliver.coretag |  4 ++++
 lib/Vend/Error.pm              |  2 ++
 lib/Vend/Parse.pm              |  3 +++
 lib/Vend/Util.pm               | 11 +++++++++++
 4 files changed, 20 insertions(+)

diff --git a/code/SystemTag/deliver.coretag b/code/SystemTag/deliver.coretag
index c4a2f53c1..e7295d7ab 100644
--- a/code/SystemTag/deliver.coretag
+++ b/code/SystemTag/deliver.coretag
@@ -32,6 +32,10 @@ sub {
 
 	## This is a bounce, returns
 	if($opt->{location}) {
+		$type = Vend::Util::header_data_scrub($type);
+		$opt->{status} = Vend::Util::header_data_scrub($opt->{status});
+		$opt->{location} = Vend::Util::header_data_scrub($opt->{location});
+
 		$type and $Tag->tag( {
 						op => 'header',
 						name => 'Content-Type',
diff --git a/lib/Vend/Error.pm b/lib/Vend/Error.pm
index d2c4f0f1f..6dd700cf5 100644
--- a/lib/Vend/Error.pm
+++ b/lib/Vend/Error.pm
@@ -56,6 +56,8 @@ sub get_locale_message {
 	}
 	if($message !~ /\s/) {
 		if($message =~ /^http:/) {
+			$message = header_data_scrub($message);
+
 			$Vend::StatusLine =~ s/([^\r\n])$/$1\r\n/;
 			$Vend::StatusLine .= "Status: 302 Moved\r\nLocation: $message\r\n";
 			$message = "Redirected to $message.";
diff --git a/lib/Vend/Parse.pm b/lib/Vend/Parse.pm
index 0ce98cfee..0c15f5713 100644
--- a/lib/Vend/Parse.pm
+++ b/lib/Vend/Parse.pm
@@ -764,6 +764,9 @@ sub start {
 			if(! $attr->{href} and $attr->{page}) {
 				$attr->{href} = Vend::Interpolate::tag_area($attr->{page});
 			}
+
+			$attr->{href} = header_data_scrub($attr->{href});
+
 			$Vend::StatusLine = '' if ! $Vend::StatusLine;
 			$Vend::StatusLine .= "\n" if $Vend::StatusLine !~ /\n$/;
 			$Vend::StatusLine .= <<EOF if $attr->{target};
diff --git a/lib/Vend/Util.pm b/lib/Vend/Util.pm
index 63998fb95..b4dbea01a 100644
--- a/lib/Vend/Util.pm
+++ b/lib/Vend/Util.pm
@@ -46,6 +46,7 @@ require Exporter;
 	generate_key
 	get_option_hash
 	hash_string
+	header_data_scrub
 	hexify
 	is_hash
 	is_no
@@ -2122,6 +2123,16 @@ sub codedef_options {
 	return \@out;
 }
 
+sub header_data_scrub {
+	my ($head_data) = @_;
+
+	## "HTTP Response Splitting" Exploit Fix
+	## http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
+	$head_data =~ s/(?:%0[da]|[\r\n]+)+//ig;
+
+	return $head_data;
+}
+
 ### Provide stubs for former Vend::Util functions relocated to Vend::File
 *canonpath = \&Vend::File::canonpath;
 *catdir = \&Vend::File::catdir;