Build an encoding function specific to HTTP/Response Splitting (tactical remediation)

[GoogleCodeExporter]

I think we need a better strategy for response splitting defense.
>
> Right now, the only advice we give is to use the Request/Response
> wrappers, a defense that is not practical for all shops.
>
> I think we need 2 approaches:
>
> 1) Input Validation function that specifically strips linefeed line
> control characters after cannonicalization
> 2) Header Encoder that renders linefeed control characters innert (the
> best defense is always at the usage boundary)
>
> Thoughts?

Original issue reported on code.google.com by manico.james@gmail.com on 30 Jan 2011 at 6:40

[GoogleCodeExporter]

Original comment by M.Gelma...@gmail.com on 13 Nov 2014 at 6:18

• Added labels: Type-Defect