On 2 Feb 2010, at 09:11, Felix Meschberger wrote:
>>
>>
>> btw, SlingSafeMethodsServlet.doTrace looks like it might be vulnerable to
>> Response splitting, it echos headers back to the response stream without
>> making them safe.
>
> Agreed with Bertrand, lets create an issue and fix this in the
> SlingSafeMethodsServlet.doTrace method (probably just omitting any known
> security relevant headers like Set-Cookie and Authorization).
>
> Regards
> Felix
It might just need
headerName = headerName.replace('\n',' ').replace('\r',' ');
headerValue = headerVaue.replace('\n',' ').replace('\r',' ');
or something like that since the split can be applied to any header.
Ian
