Hello, As wished to the developers list:
The JsfUtils used in DeltaSpike URLEncode the values but not the keys. This allows header injection (see https://www.owasp.org/index.php/HTTP_Response_Splitting for more info on this attack type). As an example if I open a page without window ID and thus have a redirect by DefaultClientWindow.getOrCreateWindowId() in it: /somepage.xhtml?%0aSet-Cookie:%20newcookie%3Dinjectme%0a will cause the key side to be an unescaped part of the redirect URL and thus cause the cookie to be set. the encodeValues parameter should also cause the keys to be encoded as well. Regards Ortwin Escher Fachreferent, Fahrzeug IT, VC-M1 IAV GmbH Rockwellstrasse 16 38518 GIFHORN GERMANY Internet: http://www.iav.com Sitz/Registered Office: Berlin, Registergericht/Registration Court: Amtsgericht Charlottenburg, Registernummer/Company Registration Number: HRB 21 280, Geschäftsführer/Managing Directors: Kurt Blumenröder, Michael Schubert, Olaf Kupke Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dr. Harald Ludanek
