On Thu, 2014-03-27 at 13:06 +0100, Daniel Gruno wrote:
> FYI, I have implemented some restrictions and alterations to mod_lua, to
> prevent HTTP Response Splitting in cases where users fail to properly
> check their output or think mod_lua takes care of everything all by itself.
Hmmm ...
> > + if (ap_strchr_c(val, '\n')) {
> > + val = "[ERROR: Value contains newline, ignored.]";
> > + }
> > apr_table_set(t, key, val);
> > return 0;
> > }
Is that exactly what you meant to do? You've set val
to something that conceivably be a legitimate value and
continued normally.
Why not instead strip the newline character and log a warning?
--
Nick Kew
