Prevent HTTP response splitting #3938

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
3 participants
@eddumelendez
Contributor

eddumelendez commented Jun 19, 2016

Evaluate if http header value contains CR/LF.

Reference: https://www.owasp.org/index.php/HTTP_Response_Splitting

Fixes gh-3910

@pivotal-issuemaster

This comment has been minimized.

Show comment
Hide comment

@eddumelendez eddumelendez changed the title from Prevent HTTP responde splitting to Prevent HTTP response splitting Jun 19, 2016

@rwinch rwinch added this to the 4.2.0 M1 milestone Jun 20, 2016

*/
public abstract class OnCommittedResponseWrapper extends HttpServletResponseWrapper {
+ private static final String CR_OR_LF = "\r\n";

This comment has been minimized.

@rwinch

rwinch Jun 21, 2016

Member

Is there a reason you made the change here? I think the best place for the change is in FirewalledResponse. You would override both setHeader and addHeader methods of HttpServletResponseWrapper

@rwinch

rwinch Jun 21, 2016

Member

Is there a reason you made the change here? I think the best place for the change is in FirewalledResponse. You would override both setHeader and addHeader methods of HttpServletResponseWrapper

@eddumelendez

This comment has been minimized.

Show comment
Hide comment
@eddumelendez

eddumelendez Jun 21, 2016

Contributor

@rwinch PR updated

Contributor

eddumelendez commented Jun 21, 2016

@rwinch PR updated

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Jun 21, 2016

Member

@eddumelendez Thanks for the fast response. I had something like this in mind:

You would override both setHeader and addHeader methods of HttpServletResponseWrapper

@Override
public void setHeader(String name, String value) {
    if (CR_OR_LF.matcher(value).find()) {
        throw new IllegalArgumentException(
                "Invalid characters (CR/LF) in header");
    }
    super.setHeader(name, value);
}

@Override
public void addHeader(String name, String value) {
    if (CR_OR_LF.matcher(value).find()) {
        throw new IllegalArgumentException(
                "Invalid characters (CR/LF) in header");
    }
    super.addHeader(name, value);
}

You might even extract out the validation logic.

Member

rwinch commented Jun 21, 2016

@eddumelendez Thanks for the fast response. I had something like this in mind:

You would override both setHeader and addHeader methods of HttpServletResponseWrapper

@Override
public void setHeader(String name, String value) {
    if (CR_OR_LF.matcher(value).find()) {
        throw new IllegalArgumentException(
                "Invalid characters (CR/LF) in header");
    }
    super.setHeader(name, value);
}

@Override
public void addHeader(String name, String value) {
    if (CR_OR_LF.matcher(value).find()) {
        throw new IllegalArgumentException(
                "Invalid characters (CR/LF) in header");
    }
    super.addHeader(name, value);
}

You might even extract out the validation logic.

@eddumelendez

This comment has been minimized.

Show comment
Hide comment
@eddumelendez

eddumelendez Jun 21, 2016

Contributor

@rwinch Thanks for the hint. PR updated.

Contributor

eddumelendez commented Jun 21, 2016

@rwinch Thanks for the hint. PR updated.

+ }
+
+ private void validateCRLF(String value) {
+ if (CR_OR_LF.matcher(value).find()) {
throw new IllegalArgumentException(
"Invalid characters (CR/LF) in redirect location");

This comment has been minimized.

@rwinch

rwinch Jun 21, 2016

Member

We need a different error message since these are not redirect locations. You could probably just change this to header since redirect location is a header.

@rwinch

rwinch Jun 21, 2016

Member

We need a different error message since these are not redirect locations. You could probably just change this to header since redirect location is a header.

Prevent HTTP response splitting
Evaluate if http header value contains CR/LF.

Reference: https://www.owasp.org/index.php/HTTP_Response_Splitting

Fixes gh-3910
@eddumelendez

This comment has been minimized.

Show comment
Hide comment
@eddumelendez

eddumelendez Jun 21, 2016

Contributor

@rwinch PR updated. I am also printing the header in the exception message.

Contributor

eddumelendez commented Jun 21, 2016

@rwinch PR updated. I am also printing the header in the exception message.

@mp911de mp911de referenced this pull request in pivotalsoftware/pivotal-cla Jun 22, 2016

Closed

Streamline PR comments #109

@rwinch rwinch self-assigned this Jul 7, 2016

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Jul 7, 2016

Member

Thanks for the PR! This is merged via 26fa4a4

Member

rwinch commented Jul 7, 2016

Thanks for the PR! This is merged via 26fa4a4

@rwinch rwinch closed this Jul 7, 2016

@rwinch rwinch added the duplicate label Sep 20, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment