On Thu, Mar 27, 2014 at 8:21 AM, Daniel Gruno <rum...@cord.dk> wrote:

> On 03/27/2014 01:15 PM, Nick Kew wrote:
> > On Thu, 2014-03-27 at 13:06 +0100, Daniel Gruno wrote:
> >> FYI, I have implemented some restrictions and alterations to mod_lua, to
> >> prevent HTTP Response Splitting in cases where users fail to properly
> >> check their output or think mod_lua takes care of everything all by
> itself.
> >
> > Hmmm ...
> >
> >>> +    if (ap_strchr_c(val, '\n')) {
> >>> +        val = "[ERROR: Value contains newline, ignored.]";
> >>> +    }
> >>>      apr_table_set(t, key, val);
> >>>      return 0;
> >>>  }
> >
> > Is that exactly what you meant to do?  You've set val
> > to something that conceivably be a legitimate value and
> > continued normally.
> >
> > Why not instead strip the newline character and log a warning?
> >
> You can't log a warning or strip the newline;
> 1) it's a const char* so magical things will happen if you edit it(?)
> 2) we don't have a pool handy to make a new string without the newline
> or log an error.
>
> As I said in the commit msg in trunk, it's an ugly hack, and if someone
> finds a more clever way of solving it, I'm all ears :) Maybe I'm
> forgetting something entirely obvious, who knows.
>
> With regards,
> Daniel.
>

Just remove it?

And what about other control characters such as \r, or generally any
character/byte sequence that is not valid here?

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Reply via email to