My understanding is that crlf breaks the rfc and leads to http response splitting attacks.
-----Original Message----- From: [EMAIL PROTECTED] Sent: Tuesday, June 10, 2008 11:50 AM To: [EMAIL PROTECTED] Subject: DO NOT REPLY [Bug 45180] New: CRLF Newline characters stripped from header values https://issues.apache.org/bugzilla/show_bug.cgi?id=45180 Summary: CRLF Newline characters stripped from header values Product: Tomcat 5 Version: 5.5.26 Platform: PC OS/Version: Windows Server 2003 Status: NEW Severity: blocker Priority: P2 Component: Unknown AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] While trying to implement RFC 2231 with "Parameter Value Continuations" I had a header that should appear as follows: Content-Disposition: attachment; filename*0="Rodney.20080516.VaR_Simple.HG2008_HG2008_20080516_issueDetailLog"; filename*1="_boy_this_is_a_long_header_value"; filename*2="_now_is_it_not.csv" That is according to RFC 2231 which allows this. I use HttpServletResponse.addHeader(String,String) to add the appropriate header as so: addHeader("Content-Disposition", above value with \r\n inside the string) Unfortanetely Tomcat is replacing my String's "\r\n" after each ";" with two spaces instead. This results in the actual header returned to the browser being: Content-Disposition: attachment; filename*0="Rodney.20080516.VaR_Simple.HG2008_HG2008_20080516_issueDetailLog"; filename*1="_boy_this_is_a_long_header_value"; filename*2="_now_is_it_not.csv" [Each ; is followed by <space><space><tab>filename instead of \r\n<tab>filename] Firefox 2.0.14 will gracefully correct this malformed, non-compliant RFC2231 header, but Internet Explorer 6 nor 7 will handle this correctly. IE is more strict about the RFC2231 format. I believe this may have been implemented to discourage XSS mistakes in code, but now it breaks using \r\n inside header values. Perhaps a new method such as "addUncheckedHeader(String,String)" that doesn't scrub the \r\n would be appropriate? -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bu [The entire original message is not included] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
