svn commit: r1199263 - /wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/pages/BrowserInfoPage.java

[mg...@apache.org]

Author: mgrigorov
Date: Tue Nov  8 14:35:05 2011
New Revision: 1199263

URL: http://svn.apache.org/viewvc?rev=1199263&view=rev
Log:
WICKET-4196 Accessing Wicket through AJP makes Wicket vulnerable to HTTP Response Splitting Attack


Modified:
    wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/pages/BrowserInfoPage.java

Modified: wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/pages/BrowserInfoPage.java
URL: http://svn.apache.org/viewvc/wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/pages/BrowserInfoPage.java?rev=1199263&r1=1199262&r2=1199263&view=diff
==============================================================================
--- wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/pages/BrowserInfoPage.java (original)
+++ wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/pages/BrowserInfoPage.java Tue Nov  8 14:35:05 2011
@@ -206,6 +206,34 @@ public class BrowserInfoPage extends Web
 				}
 			};
 		}
+		continueTo = sanitize(continueTo);
 		this.continueTo = continueTo;
 	}
+
+	/**
+	 * Cleans the <code>cto</code> request parameter from malicious user input.
+	 * 
+	 * @param continueTo
+	 *            the url to redirect to after extracting the browser info
+	 * @return the url to redirect to after the cleaning.
+	 */
+	private String sanitize(String continueTo)
+	{
+		// continueTo is already checked against 'null'
+
+		// cut everything after \n or \r. WICKET-4196
+		int idx = continueTo.indexOf('\n');
+		if (idx > -1)
+		{
+			continueTo = continueTo.substring(0, idx);
+		}
+
+		idx = continueTo.indexOf('\r');
+		if (idx > -1)
+		{
+			continueTo = continueTo.substring(0, idx);
+		}
+
+		return continueTo;
+	}
 }