[ https://issues.apache.org/jira/browse/DELTASPIKE-963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14638440#comment-14638440 ]
Ortwin Escher commented on DELTASPIKE-963: ------------------------------------------ The fix works, thank you! > Header injection due to unescaped key in JsfUtils > ------------------------------------------------- > > Key: DELTASPIKE-963 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-963 > Project: DeltaSpike > Issue Type: Bug > Affects Versions: 1.4.1 > Reporter: Ortwin Escher > Assignee: Thomas Andraschko > Fix For: 1.4.3 > > > The JsfUtils used in DeltaSpike URLEncode the values but not the keys. This > allows header injection (see > https://www.owasp.org/index.php/HTTP_Response_Splitting for more info on this > attack type). As an example if I open a page without window ID and thus have > a redirect by DefaultClientWindow.getOrCreateWindowId() in it: > /somepage.xhtml?%0aSet-Cookie:%20newcookie%3Dinjectme%0a > will cause the key side to be an unescaped part of the redirect URL and thus > cause the cookie to be set. the encodeValues parameter should also cause the > keys to be encoded as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332)