You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by mb...@apache.org on 2021/09/13 02:12:16 UTC
[roller] 06/10: FolderEdit: HTTP response splitting defense.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 2181cb796aa3057bd8b692d34ada970b17d21fc6
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Tue Aug 24 22:15:21 2021 +0200
FolderEdit: HTTP response splitting defense.
---
.../org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java
index 91dc0ae..94de22d 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java
@@ -40,7 +40,7 @@ import javax.servlet.http.HttpServletResponse;
// TODO: make this work @AllowedMethods({"execute","save"})
public class FolderEdit extends UIAction implements ServletResponseAware {
- private static Log log = LogFactory.getLog(FolderEdit.class);
+ private static final Log log = LogFactory.getLog(FolderEdit.class);
// bean for managing form data
private FolderBean bean = new FolderBean();
@@ -127,7 +127,10 @@ public class FolderEdit extends UIAction implements ServletResponseAware {
addMessage("folderForm.updated");
}
- httpServletResponse.addHeader("folderId", folderId );
+ // HTTP response splitting defense
+ String sanetizedFolderID = folderId.replace("\n", "").replace("\r", "");
+
+ httpServletResponse.addHeader("folderId", sanetizedFolderID);
return SUCCESS;