Mark, On 5/7/13 11:54 AM, ma...@apache.org wrote: > Author: markt > Date: Tue May 7 15:54:36 2013 > New Revision: 1479953 > > URL: http://svn.apache.org/r1479953 > Log: > Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54703 > Be tolerant of applications that pass CR or LF in setHeader() values. > Fix some whitespace parsing issues idnetifed by the extended test cases in > readTokenOrQuotedString()
How does this impact HTTP response-splitting exploits triggered by
webapps that don't sanitize their response headers?
Also:
> + private static final String[] LWS_VALUES = new String[] {
> + "", " ", "\t", "\r", "\n", "\r\n", " \r", " \n", " \r\n",
> + "\r ", "\n ", "\r\n ", " \r ", " \n ", " \r\n " };
Is LWS_VALUES an empty string? Just a sanity check that headers without
any leading whitespace don't cause any problems? Seems like many many
other tests would verify that...
-chris
signature.asc
Description: OpenPGP digital signature
