[
https://issues.apache.org/jira/browse/TAP5-1004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12914707#action_12914707
]
Hudson commented on TAP5-1004:
------------------------------
Integrated in tapestry-5.2-freestyle #196 (See
[https://hudson.apache.org/hudson/job/tapestry-5.2-freestyle/196/])
TAP5-1004: URLEncode the exception message encoded as a response header and
decode it on the client before displaying it to the user
> X-Tapestry-ErrorMessage may lead to HTTP Response Splitting
> -----------------------------------------------------------
>
> Key: TAP5-1004
> URL: https://issues.apache.org/jira/browse/TAP5-1004
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: Paul Rehrl
> Assignee: Howard M. Lewis Ship
> Priority: Minor
> Fix For: 5.2.1
>
>
> The DefaultRequestExceptionHandler sets the X-Tapestry-ErrorMessage header
> but fails to sanitize or encode the error message. This enables an attacker
> to inject malicious HTTP headers or to provide a 2nd HTTP response.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
