-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Prevent HTTP response splitting #3938
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
@eddumelendez Thank you for signing the Contributor License Agreement! |
77e605e
to
f47c6f2
Compare
*/ | ||
public abstract class OnCommittedResponseWrapper extends HttpServletResponseWrapper { | ||
|
||
private static final String CR_OR_LF = "\r\n"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason you made the change here? I think the best place for the change is in FirewalledResponse
. You would override both setHeader and addHeader methods of HttpServletResponseWrapper
@rwinch PR updated |
@eddumelendez Thanks for the fast response. I had something like this in mind:
@Override
public void setHeader(String name, String value) {
if (CR_OR_LF.matcher(value).find()) {
throw new IllegalArgumentException(
"Invalid characters (CR/LF) in header");
}
super.setHeader(name, value);
}
@Override
public void addHeader(String name, String value) {
if (CR_OR_LF.matcher(value).find()) {
throw new IllegalArgumentException(
"Invalid characters (CR/LF) in header");
}
super.addHeader(name, value);
} You might even extract out the validation logic. |
@rwinch Thanks for the hint. PR updated. |
} | ||
|
||
private void validateCRLF(String value) { | ||
if (CR_OR_LF.matcher(value).find()) { | ||
throw new IllegalArgumentException( | ||
"Invalid characters (CR/LF) in redirect location"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need a different error message since these are not redirect locations. You could probably just change this to header since redirect location is a header.
Evaluate if http header value contains CR/LF. Reference: https://www.owasp.org/index.php/HTTP_Response_Splitting Fixes spring-projectsgh-3910
@rwinch PR updated. I am also printing the header in the exception message. |
Thanks for the PR! This is merged via 26fa4a4 |
Evaluate if http header value contains CR/LF.
Reference: https://www.owasp.org/index.php/HTTP_Response_Splitting
Fixes gh-3910