Open meg23 opened 9 years ago
@xeno6696 Weird that we had a duplicate 209 and 210. Too much caffeine that day for Manico? :)
Note that we should automatically do this cleansing to prevent HTTP Response Splitting for any cookies or other HTTP response headers that ESAPI may create. May require a code inspection to find all the cases.
To satisfy the first item:
- Input Validation function that specifically strips linefeed line control characters after canonicalization
One can simply use the stripControls()
static method from the org.owasp.esapi.StringUtilities
class. Based on that, it is relatively easy to create the second item. But this is largely what SecurityWrapper
already does.
Reset the priority from Medium to Low since there is already a way to accomplish this via StringUtilities.stripControls()
. Plus it is open source with a liberal new BSD license. Pull out the code from SecurityWrapper
to do only what you want it to do.
From manico.james@gmail.com on January 30, 2011 13:40:05
I think we need a better strategy for response splitting defense.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=201