X-Tapestry-ErrorMessage may lead to HTTP Response Splitting
-----------------------------------------------------------
Key: TAP5-1004
URL: https://issues.apache.org/jira/browse/TAP5-1004
Project: Tapestry 5
Issue Type: Bug
Components: tapestry-core
Affects Versions: 5.1.0.5
Reporter: Paul Rehrl
The DefaultRequestExceptionHandler sets the X-Tapestry-ErrorMessage header but
fails to sanitize or encode the error message. This enables an attacker to
inject malicious HTTP headers or to provide a 2nd HTTP response.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
