On 03/27/2014 01:15 PM, Nick Kew wrote:
> On Thu, 2014-03-27 at 13:06 +0100, Daniel Gruno wrote:
>> FYI, I have implemented some restrictions and alterations to mod_lua, to
>> prevent HTTP Response Splitting in cases where users fail to properly
>> check their output or think mod_lua takes care of everything all by itself.
>
> Hmmm ...
>
>>> + if (ap_strchr_c(val, '\n')) {
>>> + val = "[ERROR: Value contains newline, ignored.]";
>>> + }
>>> apr_table_set(t, key, val);
>>> return 0;
>>> }
>
> Is that exactly what you meant to do? You've set val
> to something that conceivably be a legitimate value and
> continued normally.
>
> Why not instead strip the newline character and log a warning?
>
You can't log a warning or strip the newline;
1) it's a const char* so magical things will happen if you edit it(?)
2) we don't have a pool handy to make a new string without the newline
or log an error.
As I said in the commit msg in trunk, it's an ugly hack, and if someone
finds a more clever way of solving it, I'm all ears :) Maybe I'm
forgetting something entirely obvious, who knows.
With regards,
Daniel.
