Skip to content

Prevent HTTP response splitting #3938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Prevent HTTP response splitting #3938

wants to merge 1 commit into from

Conversation

eddumelendez
Copy link
Contributor

Evaluate if http header value contains CR/LF.

Reference: https://www.owasp.org/index.php/HTTP_Response_Splitting

Fixes gh-3910

@pivotal-issuemaster
Copy link

@eddumelendez Thank you for signing the Contributor License Agreement!

@eddumelendez eddumelendez changed the title Prevent HTTP responde splitting Prevent HTTP response splitting Jun 19, 2016
@eddumelendez eddumelendez force-pushed the gh-3910 branch 2 times, most recently from 77e605e to f47c6f2 Compare June 19, 2016 14:04
@rwinch rwinch added this to the 4.2.0 M1 milestone Jun 20, 2016
rwinch
rwinch reviewed Jun 21, 2016
View reviewed changes
web/src/main/java/org/springframework/security/web/util/OnCommittedResponseWrapper.java
*/
public abstract class OnCommittedResponseWrapper extends HttpServletResponseWrapper {

private static final String CR_OR_LF = "\r\n";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason you made the change here? I think the best place for the change is in FirewalledResponse. You would override both setHeader and addHeader methods of HttpServletResponseWrapper

@rwinch rwinch added the status: waiting-for-feedback We need additional information before we can continue label Jun 21, 2016
@eddumelendez
Copy link
Contributor Author

@rwinch PR updated

@rwinch
Copy link
Member

rwinch commented Jun 21, 2016
edited
Loading

@eddumelendez Thanks for the fast response. I had something like this in mind:

You would override both setHeader and addHeader methods of HttpServletResponseWrapper

@Override
public void setHeader(String name, String value) {
    if (CR_OR_LF.matcher(value).find()) {
        throw new IllegalArgumentException(
                "Invalid characters (CR/LF) in header");
    }
    super.setHeader(name, value);
}

@Override
public void addHeader(String name, String value) {
    if (CR_OR_LF.matcher(value).find()) {
        throw new IllegalArgumentException(
                "Invalid characters (CR/LF) in header");
    }
    super.addHeader(name, value);
}

You might even extract out the validation logic.

@eddumelendez
Copy link
Contributor Author

@rwinch Thanks for the hint. PR updated.

rwinch
rwinch reviewed Jun 21, 2016
View reviewed changes
web/src/main/java/org/springframework/security/web/firewall/FirewalledResponse.java
}

private void validateCRLF(String value) {
if (CR_OR_LF.matcher(value).find()) {
throw new IllegalArgumentException(
"Invalid characters (CR/LF) in redirect location");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a different error message since these are not redirect locations. You could probably just change this to header since redirect location is a header.

@eddumelendez
Copy link
Contributor Author

@rwinch PR updated. I am also printing the header in the exception message.

@mp911de mp911de mentioned this pull request Jun 22, 2016
Closed
@rwinch rwinch self-assigned this Jul 7, 2016
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-feedback We need additional information before we can continue labels Jul 7, 2016
@rwinch
Copy link
Member

rwinch commented Jul 7, 2016

Thanks for the PR! This is merged via 26fa4a4

@rwinch rwinch closed this Jul 7, 2016
@rwinch rwinch added the status: duplicate A duplicate of another issue label Sep 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
4.2.0 M1
Development

Successfully merging this pull request may close these issues.

HTTP response splitting attack prevention
3 participants
@eddumelendez @pivotal-issuemaster @rwinch