glassfishrobot
commented
10 years ago Reported by ibrencsics
Open glassfishrobot opened 10 years ago
glassfishrobot
commented
10 years ago Reported by ibrencsics
glassfishrobot
commented
10 years ago gregwilkins said: Note also that there is no provision in the servlet API to pass prefolded headers either in response.setContentType nor response.setHeader.
Any attempt to allow the injection of \r\n characters in header values would expose the server to significant security problems. For example if an attacker was able to influence a content type and/or header value to be something like: application/soap+xml; charset=utf-8; \r\nContent-Length:0\r\n\r\nHTTP/1.1 200 OK\r\n .... then responses could be injected.
We cannot rely on the application to provide the \t that turns a response injection attack into a folded header value.
glassfishrobot
commented
9 years ago ibrencsics said: There is almost no activity in this Jira. Is this the right place to announce SAAJ related bugs?
glassfishrobot
commented
9 years ago slandro said: Try the mailing list. That's what I did: users@saaj.java.net
glassfishrobot
commented
10 years ago Was assigned to gagordon
glassfishrobot
commented
7 years ago This issue was imported from java.net JIRA SAAJ-75
The original problem we encountered is this one: https://bugs.eclipse.org/bugs/show_bug.cgi?id=444222
As a colleague from the Jetty team clarified, the folded HTTP headers are forbidden: http://tools.ietf.org/html/rfc7230#section-3.2.4
However, the toString() method of com.sun.xml.messaging.saaj.packaging.mime.internet.ParameterList injects a \r\n\t to the Content-Type when it would exceed 76 characters.
This causes problems when SAAJ used together with Jetty.
Affected Versions
[current]