[jira] Commented: (TAP5-1004) X-Tapestry-ErrorMessage may lead to HTTP Response Splitting

Tue, 23 Feb 2010 06:24:52 -0800 

    [ 
https://issues.apache.org/jira/browse/TAP5-1004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837247#action_12837247
 ] 

Denis Delangle commented on TAP5-1004:
--------------------------------------

Futhermore, the X-Tapestry-ErrorMessage is written before the "Content-Encoding 
gzip" header, so response is displayed compressed or not displayed at all.

If the exception message contains 2 "\n", header is not well formed. 

For instance, a page with this content fails to display the error page with 
Firefox :

       @SetupRender
        public void testError() throws Exception {
                String message = "titi \n toto \n";
                throw new Exception(message);
        }

The response headers under firebug are 


Date    Tue, 23 Feb 2010 14:14:35 GMT
Server  Jetty/5.1.x (Mac OS X/10.6.2 x86_64 java/1.6.0_17
X-Tapestry-ErrorMessage Render queue error in SetupRender[report/test/Page]: 
java.lang.Exception: titi toto

If I execute the test with only one "\n", the error page is well displayed :

      @SetupRender
        public void testError() throws Exception {
                String message = "titi \n toto";
                throw new Exception(message);
        }

The response headers are :

Date    Tue, 23 Feb 2010 14:21:29 GMT
Server  Jetty/5.1.x (Mac OS X/10.6.2 x86_64 java/1.6.0_17
X-Tapestry-ErrorMessage Render queue error in SetupRender[report/test/Page]: 
java.lang.Exception: titi toto
Content-Type    text/html;charset=UTF-8
Content-Encoding        gzip
Transfer-Encoding       chunked

> X-Tapestry-ErrorMessage may lead to HTTP Response Splitting
> -----------------------------------------------------------
>
>                 Key: TAP5-1004
>                 URL: https://issues.apache.org/jira/browse/TAP5-1004
>             Project: Tapestry 5
>          Issue Type: Bug
>          Components: tapestry-core
>    Affects Versions: 5.1.0.5
>            Reporter: Paul Rehrl
>
> The DefaultRequestExceptionHandler sets the X-Tapestry-ErrorMessage header 
> but fails to sanitize or encode the error message. This enables an attacker 
> to inject malicious HTTP headers or to provide a 2nd HTTP response.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to