https://issues.apache.org/bugzilla/show_bug.cgi?id=45180
Summary: CRLF Newline characters stripped from header values
Product: Tomcat 5
Version: 5.5.26
Platform: PC
OS/Version: Windows Server 2003
Status: NEW
Severity: blocker
Priority: P2
Component: Unknown
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]
While trying to implement RFC 2231 with "Parameter Value Continuations" I had a
header that should appear as follows:
Content-Disposition: attachment;
filename*0="Rodney.20080516.VaR_Simple.HG2008_HG2008_20080516_issueDetailLog";
filename*1="_boy_this_is_a_long_header_value";
filename*2="_now_is_it_not.csv"
That is according to RFC 2231 which allows this. I use
HttpServletResponse.addHeader(String,String) to add the appropriate header as
so:
addHeader("Content-Disposition", above value with \r\n inside the string)
Unfortanetely Tomcat is replacing my String's "\r\n" after each ";" with two
spaces instead.
This results in the actual header returned to the browser being:
Content-Disposition: attachment;
filename*0="Rodney.20080516.VaR_Simple.HG2008_HG2008_20080516_issueDetailLog";
filename*1="_boy_this_is_a_long_header_value";
filename*2="_now_is_it_not.csv"
[Each ; is followed by <space><space><tab>filename instead of
\r\n<tab>filename]
Firefox 2.0.14 will gracefully correct this malformed, non-compliant RFC2231
header, but Internet Explorer 6 nor 7 will handle this correctly. IE is more
strict about the RFC2231 format.
I believe this may have been implemented to discourage XSS mistakes in code,
but now it breaks using \r\n inside header values.
Perhaps a new method such as "addUncheckedHeader(String,String)" that doesn't
scrub the \r\n would be appropriate?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
