[
https://issues.apache.org/jira/browse/TAP5-1004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837247#action_12837247
]
Denis Delangle commented on TAP5-1004:
--------------------------------------
Futhermore, the X-Tapestry-ErrorMessage is written before the "Content-Encoding
gzip" header, so response is displayed compressed or not displayed at all.
If the exception message contains 2 "\n", header is not well formed.
For instance, a page with this content fails to display the error page with
Firefox :
@SetupRender
public void testError() throws Exception {
String message = "titi \n toto \n";
throw new Exception(message);
}
The response headers under firebug are
Date Tue, 23 Feb 2010 14:14:35 GMT
Server Jetty/5.1.x (Mac OS X/10.6.2 x86_64 java/1.6.0_17
X-Tapestry-ErrorMessage Render queue error in SetupRender[report/test/Page]:
java.lang.Exception: titi toto
If I execute the test with only one "\n", the error page is well displayed :
@SetupRender
public void testError() throws Exception {
String message = "titi \n toto";
throw new Exception(message);
}
The response headers are :
Date Tue, 23 Feb 2010 14:21:29 GMT
Server Jetty/5.1.x (Mac OS X/10.6.2 x86_64 java/1.6.0_17
X-Tapestry-ErrorMessage Render queue error in SetupRender[report/test/Page]:
java.lang.Exception: titi toto
Content-Type text/html;charset=UTF-8
Content-Encoding gzip
Transfer-Encoding chunked
> X-Tapestry-ErrorMessage may lead to HTTP Response Splitting
> -----------------------------------------------------------
>
> Key: TAP5-1004
> URL: https://issues.apache.org/jira/browse/TAP5-1004
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: Paul Rehrl
>
> The DefaultRequestExceptionHandler sets the X-Tapestry-ErrorMessage header
> but fails to sanitize or encode the error message. This enables an attacker
> to inject malicious HTTP headers or to provide a 2nd HTTP response.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.