Re: svn commit: r1479953 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/tomcat/util/http/parser/HttpParser.java test/org/apache/tomcat/util/http/parser/TestMediaType.java webapps/docs/changelog.xml

[Mark Thomas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/05/2013 14:22, Christopher Schultz wrote:
> Mark,
> 
> On 5/7/13 11:54 AM, ma...@apache.org wrote:
>> Author: markt Date: Tue May  7 15:54:36 2013 New Revision:
>> 1479953
>> 
>> URL: http://svn.apache.org/r1479953 Log: Fix
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=54703 Be
>> tolerant of applications that pass CR or LF in setHeader()
>> values. Fix some whitespace parsing issues idnetifed by the
>> extended test cases in readTokenOrQuotedString()
> 
> How does this impact HTTP response-splitting exploits triggered by 
> webapps that don't sanitize their response headers?

It does very little because only Content-Type headers are parsed. The
likelihood any app vulnerable before this change is still vulenrable.


> Also:
> 
>> +    private static final String[] LWS_VALUES = new String[] { +
>> "", " ", "\t", "\r", "\n", "\r\n", " \r", " \n", " \r\n", +
>> "\r ", "\n ", "\r\n ", " \r ", " \n ", " \r\n " };
> 
> Is LWS_VALUES an empty string? Just a sanity check that headers
> without any leading whitespace don't cause any problems? Seems like
> many many other tests would verify that...

No, LWS_VALUES is an array of Strings one of which is the empty
String. Each value in the array is used for a series of tests in turn.

Mark

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRilxJAAoJEBDAHFovYFnnpFQP/1J8Z49BdozHxOPNsvq25+WV
Mn9P53L/Dbhq3U/5dr+ZUlApCxsp+RVkFyoqKxdzc9ecOWjRGBrPGLoiBup57UQp
+5jfR/p42iMsgVxD70uJx16oKjsyGM/HIrDWFDf6NkY+mYilMZQXMpRjPNRsGhyQ
g7p/o22nQd+T88aa2IlOVvu9EZSW88DYGPwxKLVmQDI2uC0DygINr1mWqMhK7R7+
DDSVxK/dm30LSRJXTHAiHcbuhU3LbW5fkyOrFMYWCH8jT0vtkAkJhg/BRVoVSwt+
Aw9uK2eX+u+wQ41Z/39/Qx1s8/e/PWnfI+hpHIfCqCMCf5TiVHUxCgAyxA7Ytev1
FraaQm9O61cNQiMvoWEc9/E150LR7YZDNbkCvQ9uH5Ma2gdjkucPB+JP4TUjzhYb
Z4Ff1hC9MOoZnaTjuU8ECrxv39EplTDnPOP9Lie5J+uaSNd3kIy5MZnN1paemZUw
/FxH2L+sz5u+ckYlA/Q9NKnxMcx6srSOLo3jZe0wjT+e08DHl+pMuL8iF1pPBUlw
ub4uil72T8qV6cR5H4Cl1YGsT1b89xsZ9/4y/WiODbeUwND8RYGTVD5fYmMSGJ10
ItmBPTXm86txlV67VbBN/QpQhZGsnvR/M5H5ErNBm+gA/kxACmqJxZHNCzuOo3Hq
vRLtFouYZx3P5UcH/fw/
=JTZo
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org