Prevent HTTP response splitting #3938
Conversation
|
@eddumelendez Thank you for signing the Contributor License Agreement! |
eddumelendez
changed the title
eddumelendez
force-pushed
the
gh-3910
branch
2 times, most recently
from
77e605e to
f47c6f2
Compare
There was a problem hiding this comment.
Is there a reason you made the change here? I think the best place for the change is in FirewalledResponse. You would override both setHeader and addHeader methods of HttpServletResponseWrapper
rwinch
added
the
status: waiting-for-feedback
|
@rwinch PR updated |
|
@eddumelendez Thanks for the fast response. I had something like this in mind:
@Override
public void setHeader(String name, String value) {
if (CR_OR_LF.matcher(value).find()) {
throw new IllegalArgumentException(
"Invalid characters (CR/LF) in header");
}
super.setHeader(name, value);
}
@Override
public void addHeader(String name, String value) {
if (CR_OR_LF.matcher(value).find()) {
throw new IllegalArgumentException(
"Invalid characters (CR/LF) in header");
}
super.addHeader(name, value);
}You might even extract out the validation logic. |
|
@rwinch Thanks for the hint. PR updated. |
There was a problem hiding this comment.
We need a different error message since these are not redirect locations. You could probably just change this to header since redirect location is a header.
Evaluate if http header value contains CR/LF. Reference: https://www.owasp.org/index.php/HTTP_Response_Splitting Fixes spring-projectsgh-3910
|
@rwinch PR updated. I am also printing the header in the exception message. |
rwinch
added
in: web
|
Thanks for the PR! This is merged via 26fa4a4 |
Evaluate if http header value contains CR/LF.
Reference: https://www.owasp.org/index.php/HTTP_Response_Splitting
Fixes gh-3910