On Thu, Mar 27, 2014 at 8:21 AM, Daniel Gruno <rum...@cord.dk> wrote:
> On 03/27/2014 01:15 PM, Nick Kew wrote: > > On Thu, 2014-03-27 at 13:06 +0100, Daniel Gruno wrote: > >> FYI, I have implemented some restrictions and alterations to mod_lua, to > >> prevent HTTP Response Splitting in cases where users fail to properly > >> check their output or think mod_lua takes care of everything all by > itself. > > > > Hmmm ... > > > >>> + if (ap_strchr_c(val, '\n')) { > >>> + val = "[ERROR: Value contains newline, ignored.]"; > >>> + } > >>> apr_table_set(t, key, val); > >>> return 0; > >>> } > > > > Is that exactly what you meant to do? You've set val > > to something that conceivably be a legitimate value and > > continued normally. > > > > Why not instead strip the newline character and log a warning? > > > You can't log a warning or strip the newline; > 1) it's a const char* so magical things will happen if you edit it(?) > 2) we don't have a pool handy to make a new string without the newline > or log an error. > > As I said in the commit msg in trunk, it's an ugly hack, and if someone > finds a more clever way of solving it, I'm all ears :) Maybe I'm > forgetting something entirely obvious, who knows. > > With regards, > Daniel. > Just remove it? And what about other control characters such as \r, or generally any character/byte sequence that is not valid here? -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/