https://issues.apache.org/bugzilla/show_bug.cgi?id=50958
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> 2011-03-24 11:52:28 EDT ---
(In reply to comment #0)
> Created an attachment (id=26793)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=26793) [details]
> Contains test WAR and ISAPI config files
>
> The ISAPI plugin seems to be vulnerable to HTTP response splitting attacks.
No it isn't. An HTTP response splitting attack is something triggered by client
input, not by an application.
> The plugin code doesn't filter CRLFs from response header values before the
> response is sent to the client. Tomcat replaces CRLFs with spaces when
> accessed
> directly through an HTTP connector. I suggest the ISAPI plugin does the same.
That the HTTP connectors and the newer AJP connectors stop developers shooting
themselves in the foot (at least in this way) whereas the older BIO AJP does
not (the filtering is in the Tomcat connector not the ISAPI native code) is a
benefit of the newer connectors but does not represent a vulnerability in the
older BIO AJP connector.
The was a vulnerability in this area in the past, CVE-2008-1232, that was
triggered by using non-filtered client supplied data directly in an HTTP
response header.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
