[
https://issues.apache.org/jira/browse/DELTASPIKE-963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14638440#comment-14638440
]
Ortwin Escher commented on DELTASPIKE-963:
------------------------------------------
The fix works, thank you!
> Header injection due to unescaped key in JsfUtils
> -------------------------------------------------
>
> Key: DELTASPIKE-963
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-963
> Project: DeltaSpike
> Issue Type: Bug
> Affects Versions: 1.4.1
> Reporter: Ortwin Escher
> Assignee: Thomas Andraschko
> Fix For: 1.4.3
>
>
> The JsfUtils used in DeltaSpike URLEncode the values but not the keys. This
> allows header injection (see
> https://www.owasp.org/index.php/HTTP_Response_Splitting for more info on this
> attack type). As an example if I open a page without window ID and thus have
> a redirect by DefaultClientWindow.getOrCreateWindowId() in it:
> /somepage.xhtml?%0aSet-Cookie:%20newcookie%3Dinjectme%0a
> will cause the key side to be an unescaped part of the redirect URL and thus
> cause the cookie to be set. the encodeValues parameter should also cause the
> keys to be encoded as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
