-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix http splitting vulnerabilities #24004
base: master
Are you sure you want to change the base?
Fix http splitting vulnerabilities #24004
Conversation
Thanks for the release note entry! Suggest revising to follow the Order of changes in the Release Notes Guidelines. Maybe something like?
Please revise my suggestion if my phrasing doesn't correctly describe the work you've done. |
a2f47a6
to
d6b4b9e
Compare
d6b4b9e
to
8090138
Compare
@@ -128,12 +128,14 @@ protected void parseURI(String requestURI, HttpServletRequest request, HttpServl | |||
OutputBufferId bufferId = null; | |||
long token = 0; | |||
|
|||
String sanitizedRequestURI = requestURI.replaceAll("[\\r\\n]", ""); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this removes \r and \n from the URI. But having these chars would not be a valid URI in the first place. The server listener doesn't filter this out already?
The vulnerability talks about having these values in the header - because these values are used to separate header and body in HTTP.
Validating the input is fine. Just surprised this isn't already taken care of.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1.
We need to sanitize the request headers in order to handle this vulnerability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So just to clarify, you are suggesting I get all headers from the request variable and sanitize each one using the same method here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to write a test which can verify the new behavior?
bbcb63e
to
a329169
Compare
Description
Dealing with vulnerabilities found in static scan labeled http splitting vulnerability