Skip to content

Conversation

eddumelendez
Copy link
Contributor

Evaluate if http header value contains CR/LF.

Reference: https://www.owasp.org/index.php/HTTP_Response_Splitting

Fixes gh-3910

@pivotal-issuemaster
Copy link

@eddumelendez Thank you for signing the Contributor License Agreement!

@eddumelendez eddumelendez changed the title Prevent HTTP responde splitting Prevent HTTP response splitting Jun 19, 2016
@eddumelendez eddumelendez force-pushed the gh-3910 branch 2 times, most recently from 77e605e to f47c6f2 Compare June 19, 2016 14:04
@rwinch rwinch added this to the 4.2.0 M1 milestone Jun 20, 2016
*/
public abstract class OnCommittedResponseWrapper extends HttpServletResponseWrapper {

private static final String CR_OR_LF = "\r\n";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason you made the change here? I think the best place for the change is in FirewalledResponse. You would override both setHeader and addHeader methods of HttpServletResponseWrapper

@rwinch rwinch added the status: waiting-for-feedback We need additional information before we can continue label Jun 21, 2016
@eddumelendez
Copy link
Contributor Author

@rwinch PR updated

@rwinch
Copy link
Member

rwinch commented Jun 21, 2016

@eddumelendez Thanks for the fast response. I had something like this in mind:

You would override both setHeader and addHeader methods of HttpServletResponseWrapper

@Override
public void setHeader(String name, String value) {
    if (CR_OR_LF.matcher(value).find()) {
        throw new IllegalArgumentException(
                "Invalid characters (CR/LF) in header");
    }
    super.setHeader(name, value);
}

@Override
public void addHeader(String name, String value) {
    if (CR_OR_LF.matcher(value).find()) {
        throw new IllegalArgumentException(
                "Invalid characters (CR/LF) in header");
    }
    super.addHeader(name, value);
}

You might even extract out the validation logic.

@eddumelendez
Copy link
Contributor Author

@rwinch Thanks for the hint. PR updated.

}

private void validateCRLF(String value) {
if (CR_OR_LF.matcher(value).find()) {
throw new IllegalArgumentException(
"Invalid characters (CR/LF) in redirect location");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a different error message since these are not redirect locations. You could probably just change this to header since redirect location is a header.

@eddumelendez
Copy link
Contributor Author

@rwinch PR updated. I am also printing the header in the exception message.

@rwinch rwinch self-assigned this Jul 7, 2016
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-feedback We need additional information before we can continue labels Jul 7, 2016
@rwinch
Copy link
Member

rwinch commented Jul 7, 2016

Thanks for the PR! This is merged via 26fa4a4

@rwinch rwinch closed this Jul 7, 2016
@rwinch rwinch added the status: duplicate A duplicate of another issue label Sep 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

HTTP response splitting attack prevention
3 participants