Thanks a lot for the reply Mark. I agree with you that it probably exists in most (if not all) containers, but we (I..) are forced to provide our own implementation as well. Thanks again for your help!
-----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Sunday, September 04, 2011 12:58 PM To: Tomcat Users List Subject: Re: CRLF Stripped in Tomcat Response Header On 04/09/2011 05:54, Nadav Katz wrote: > Hi All! > > First, let me assure everyone that I am not a hacker, exactly the > opposite, but I have a related problem. I am in the process of > implementing code that protects against header manipulation. I > created a filter that strips line feed and carriage return characters > from requests to avoid header splitting. Something doesn't add up here. Your filter is meant to be filtering requests (one wonders how it differentiates between legitimate headers and injected ones) yet your code is trying to inject headers into the response. I assume that you mean "response" when you write "request". > The thing is, I want to test > it, and can't recreate the issue with Tomcat. > > When I insert this code in my jsp: > > String attack = "name=Bad Hacker\r\nHTTP/1.1 404 Page not > found\r\n..."; > > response.setHeader("Set-Cookie", attack); > > The returned request is returned like this: > > > > Set-Cookie: author=Wiley Hacker HTTP/1.1 404 Page not found > ...\r\n > > As you can see all the CRLF have been replaced with whitespaces. I'm > assuming Tomcat is doing this, but I can't find where, even after > looking through the code and reading the documentation. http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?view=annotate Line 709 onwards. > Does anyone know anything about this? Clearly. > Is there any way to turn this off? There is no configuration option to disable this, nor will one ever be provided. You are, of course, free to modify the source code locally and re-build Tomcat. > I can't test my code when it's in place. Alternatively if anyone has any > other solution as to how to test it, I would be most grateful. Are you sure this is even a problem that needs fixing? Which containers don't already provide this filtering? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
