-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All,
I was playing around with findbugs today and saw a security warning I've never seen before: "HTTP parameter directly written to HTTP header output in [somefile.java]". I read a bit more into it and the warning was correct, I was doing something akin to the following: response.sendRedirect(request.getParameter("returnURL")); Aside from not running the redirect through response.encodeRedirectURL, there's another potential problem, there: the user can specify a return URL that breaks the HTTP response and can do some evil things. I verified that I can break my own response in this way by adding "%0d%0a" and then more stuff to my "returnURL" parameter and I magically escaped the "Location" header of the response. The suggested mitigation is to URL-encode the value before putting it into the header. I was wondering if anyone was doing anything like this and has a suggestion for allowing the UI to control it's own "return to" URLs in a safe way. We'd like to use returnURL values that allow for query parameters to be passed-back to the target URL so we can't just blindly URL-encode the URL otherwise those parameters will become part of the URL and not the query string. I suppose I could also just look for and replace whitespace, which is not legal in a URL anyway. Any other thoughts of suggestions? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2TjpgACgkQ9CaO5/Lv0PDAwQCfa8sSdRzAE7ZNjv0P1s/qD95L FGEAnjA8ZbobU/8s90lE2huLx/+B2smV =vJ6w -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org