-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Konstantin,
On 4/20/2011 11:56 AM, Konstantin Kolinko wrote:
> 2011/4/20 Christopher Schultz :
>>
>> I was considering scouring the URL/URI specs for exactly what characters
>> are allowed but then decided that I didn't really care: I was mostly
>> co
2011/4/20 Christopher Schultz :
>
> I was considering scouring the URL/URI specs for exactly what characters
> are allowed but then decided that I didn't really care: I was mostly
> concerned with thwarting a response-splitting attack and avoiding \r and
> \n does that.
See HTTP spec on what is al
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Konstantin,
On 4/19/2011 4:37 AM, Konstantin Kolinko wrote:
> 2011/4/19 Christopher Schultz :
>>
>> Looks like I must override sendRedirect because otherwise the setHeader
>> call implemented in Response.sendRedirect isn't intercepted by the
>> wrappe
2011/4/19 Christopher Schultz :
>
> Looks like I must override sendRedirect because otherwise the setHeader
> call implemented in Response.sendRedirect isn't intercepted by the
> wrapper class.
>
> For those interested, see below for the implementation I came up with.
>
> if(containsCRo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
On 4/18/2011 9:51 PM, Christopher Schultz wrote:
> I'm leaning more towards just protecting against control characters in a
> header: there's no need to do a complete URL-parse to check for response
> splitting.
>
> A simple filter that wraps th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sebb,
Just saw your response from a few weeks back... (and responded directly
instead of to the list.. it's been a long day).
On 4/1/2011 6:16 PM, sebb wrote:
> I may be missing something here, but can't you use the ctor:
>
> URL(URL context, String
On 1 April 2011 15:49, Christopher Schultz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Ronald,
>
> On 3/31/2011 8:21 PM, Christopher Schultz wrote:
>> On 3/31/2011 7:05 AM, Ronald Klop wrote:
>>> I would say that some proper input validation solves your problem.
>>> Does new URL(r
2011/4/1 Christopher Schultz :
> I think I'm doing to standardize on simply scanning for troublesome
> characters like \r and \n and throwing a MalformedURLException or
> something like that.
You'd better scan for allowed characters. The \r and \n are not the
only ones where the things may go wron
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Leon,
On 4/1/2011 1:49 AM, Leon Rosenberg wrote:
> On Fri, Apr 1, 2011 at 2:21 AM, Christopher Schultz
> wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Ronald,
>>
>> On 3/31/2011 7:05 AM, Ronald Klop wrote:
>>> I would say that some
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ronald,
On 3/31/2011 8:21 PM, Christopher Schultz wrote:
> On 3/31/2011 7:05 AM, Ronald Klop wrote:
>> I would say that some proper input validation solves your problem.
>> Does new URL(redirectURL).toString() give an exception on invalid url's?
>
>
On Fri, Apr 1, 2011 at 2:21 AM, Christopher Schultz
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Ronald,
>
> On 3/31/2011 7:05 AM, Ronald Klop wrote:
>> I would say that some proper input validation solves your problem.
>> Does new URL(redirectURL).toString() give an exception on i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ronald,
On 3/31/2011 7:05 AM, Ronald Klop wrote:
> I would say that some proper input validation solves your problem.
> Does new URL(redirectURL).toString() give an exception on invalid url's?
new URL(String) will throw a MalformedURLException if the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ronald,
On 3/31/2011 7:05 AM, Ronald Klop wrote:
> Op woensdag, 30 maart 2011 22:12 schreef Christopher Schultz
>>
>> response.sendRedirect(request.getParameter("returnURL"));
>>
>> Aside from not running the redirect through response.encodeRedire
Op woensdag, 30 maart 2011 22:12 schreef Christopher Schultz
:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
I was playing around with findbugs today and saw a security warning I've
never seen before: "HTTP parameter directly written to HTTP header
output in [somefile.jav
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
I was playing around with findbugs today and saw a security warning I've
never seen before: "HTTP parameter directly written to HTTP header
output in [somefile.java]".
I read a bit more into it and the warning was correct, I was doing
something
15 matches
Mail list logo
