Open GoogleCodeExporter opened 9 years ago
Attaching patch and updated jar.
Original comment by anita.de...@gmail.com
on 17 Nov 2011 at 12:15
Attachments:
Original comment by anita.de...@gmail.com
on 17 Nov 2011 at 12:16
Attachments:
Should be ....
public void addHeader(String name, String value) {
try {
// TODO: make stripping a global config
String strippedName = StringUtilities.stripControls(name);
String strippedValue = StringUtilities.stripControls(value);
String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", 20, false);
String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", ESAPI.securityConfiguration().getMaxHttpHeaderSize(), false);
getHttpServletResponse().addHeader(safeName, safeValue);
} catch (ValidationException e) {
logger.warning(Logger.SECURITY_FAILURE, "Attempt to add invalid header denied", e);
}
}
Original comment by anita.de...@gmail.com
on 24 Nov 2011 at 12:35
I have also been affected by this issue. Is there a good security-related
reason for addHeader() to call setHeader() on the response instead of
addHeader()?
If not, I'd love to see a 2.0.2 release very soon.
Original comment by danieljomphe
on 5 Jun 2013 at 3:14
Original issue reported on code.google.com by
anita.de...@gmail.com
on 17 Nov 2011 at 12:12