You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tapestry.apache.org by "Paul Rehrl (JIRA)" <ji...@apache.org> on 2010/02/23 15:56:28 UTC
[jira] Issue Comment Edited: (TAP5-1004) X-Tapestry-ErrorMessage
may lead to HTTP Response Splitting
[ https://issues.apache.org/jira/browse/TAP5-1004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837263#action_12837263 ]
Paul Rehrl edited comment on TAP5-1004 at 2/23/10 2:56 PM:
-----------------------------------------------------------
A blank line (2 '\n') separates the body from the HTTP Header. Therefore one is able to provide the error document and start a whole new HTTP header.
I think the error message should be URL encoded (http://en.wikipedia.org/wiki/Percent-encoding). URL encoding leaves no problematic characters and the Javascript function unescape() will decode it.
was (Author: prehrl):
A blank line (2 '\n') separates the body from the HTTP Header. Therefore one is able to provide the error document and can start a whole new HTTP header.
I think the error message should be URL encoded (http://en.wikipedia.org/wiki/Percent-encoding). URL encoding leaves no problematic characters and the Javascript function unescape() will decode it.
> X-Tapestry-ErrorMessage may lead to HTTP Response Splitting
> -----------------------------------------------------------
>
> Key: TAP5-1004
> URL: https://issues.apache.org/jira/browse/TAP5-1004
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: Paul Rehrl
>
> The DefaultRequestExceptionHandler sets the X-Tapestry-ErrorMessage header but fails to sanitize or encode the error message. This enables an attacker to inject malicious HTTP headers or to provide a 2nd HTTP response.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.