Mark, On 5/8/13 10:08 AM, Mark Thomas wrote: > On 08/05/2013 14:22, Christopher Schultz wrote: >> Mark, > >> On 5/7/13 11:54 AM, ma...@apache.org wrote: >>> Author: markt Date: Tue May 7 15:54:36 2013 New Revision: >>> 1479953 >>> >>> URL: http://svn.apache.org/r1479953 Log: Fix >>> https://issues.apache.org/bugzilla/show_bug.cgi?id=54703 Be >>> tolerant of applications that pass CR or LF in setHeader() >>> values. Fix some whitespace parsing issues idnetifed by the >>> extended test cases in readTokenOrQuotedString() > >> How does this impact HTTP response-splitting exploits triggered by >> webapps that don't sanitize their response headers? > > It does very little because only Content-Type headers are parsed. The > likelihood any app vulnerable before this change is still vulenrable.
Aah, I didn't realize this was restricted to Content-Type headers -- I
was only reading the diff itself. Thanks for the clarification.
>> Also:
>
>>> + private static final String[] LWS_VALUES = new String[] { +
>>> "", " ", "\t", "\r", "\n", "\r\n", " \r", " \n", " \r\n", +
>>> "\r ", "\n ", "\r\n ", " \r ", " \n ", " \r\n " };
>
>> Is LWS_VALUES an empty string? Just a sanity check that headers
>> without any leading whitespace don't cause any problems? Seems like
>> many many other tests would verify that...
>
> No, LWS_VALUES is an array of Strings one of which is the empty
> String. Each value in the array is used for a series of tests in turn.
Sorry, I attempted to say "Is LWS_VALUES[0] an empty string?". I see
that you are running tests against each one... I was just wondering if
the empty-string test was just for completeness rather than intending
for it to be a certain type of whitespace (as opposed to none).
Thanks,
-chris
signature.asc
Description: OpenPGP digital signature
