[
https://issues.apache.org/jira/browse/TRINIDAD-24?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Adam Winer updated TRINIDAD-24:
-------------------------------
Resolution: Fixed
Status: Resolved (was: Patch Available)
> JspUtils.getEncoding() blindly returns the results of the "enc" parameter,
> which could have been maliciously tampered with to include additional header
> values
> --------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: TRINIDAD-24
> URL: https://issues.apache.org/jira/browse/TRINIDAD-24
> Project: MyFaces Trinidad
> Issue Type: Bug
> Affects Versions: 2.0.0-incubating-core-SNAPSHOT,
> 1.0.1-incubating-core-SNAPSHOT
> Environment: Generic Issue
> Reporter: Blake Sullivan
> Assigned To: Adam Winer
> Fix For: 1.0.1-incubating-core-SNAPSHOT
>
> Attachments: HeaderSplitting.patch
>
>
> JspUtils.getEncoding() blindly returns the results of the "enc" parameter,
> which could have been maliciously tampered with to include additional header
> values. If this value is then used to set the contentType on the
> ServletResponse and the Servlet Engine performs no validation, attackers can
> use this behavior as part of a header splitting attack. Note that Trinidad's
> current use of this function does not have this issue, as the ResponseWriter
> attempts to retrieve a CharacterEncoder with the specified encoding and this
> fails. The fix is to validate that the encoding in the RequestParameter at
> the very least contains no header delimiters.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
