Permalink
Browse files

Fixed #1480 - Mitigation of BREACH

  • Loading branch information...
1 parent 6e3523e commit c0eded1358793f5e1816b9337cf2351e31314179 @fmpwizard fmpwizard committed Aug 6, 2013
Showing with 24 additions and 1 deletion.
  1. +24 −1 web/webkit/src/main/scala/net/liftweb/http/LiftRules.scala
@@ -1536,9 +1536,32 @@ class LiftRules() extends Factory with FormVendor with LazyLoggable {
@volatile var cometGetTimeout = 140000
/**
+ * Set to false if you are using some other way to prevent the BREACH attack
+ */
+ val breachMitigation: FactoryMaker[Boolean] = new FactoryMaker(() => true) {}
+
+ /**
* Compute the headers to be sent to the browser in addition to anything else that's sent
*/
- val listOfSupplimentalHeaders: FactoryMaker[List[(String, String)]] = new FactoryMaker(() => List(("X-Lift-Version", liftVersion), ("X-Frame-Options", "SAMEORIGIN"))) {}
+ val listOfSupplimentalHeaders: FactoryMaker[List[(String, String)]] = {
+ import scala.util.Random
+ /**
+ * We add 10 fake JSESSIONID strings to the header
+ * Each sessionid has a random string and random length between 10 and 25 character long
+ *
+ */
+ val numberOfFakeSessionIds = 1 to 10
+ def length = (10 to 25)(Random.nextInt(15))
+
+ def noBreachSessionIds = numberOfFakeSessionIds.foldLeft(new StringBuilder){
+ case (acc, _ ) =>
+ acc.append ( ("JSESSIONID=" + randomString(length)) + "; " + ("JSESSIONID=" + randomString(length) + "; ") ) }
+
+ new FactoryMaker(() => List(
+ ("X-Lift-Version", liftVersion), ("X-Frame-Options", "SAMEORIGIN"), ("X-NO-BREACH", noBreachSessionIds.toString())
+ )) {}
+
+ }
@volatile var supplimentalHeaders: HTTPResponse => Unit = s => listOfSupplimentalHeaders.vend.foreach{case (k, v) => s.addHeaders(List(HTTPParam(k, v)))}

0 comments on commit c0eded1

Please sign in to comment.