vinothair / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

setHeader blocks legitimate headers due to header name size limit being too low #326

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Write a Servlet that uses DefaultHTTPUtilities.getInstance().setHeader(...) 
to set headers to the response
2. Attempt to write a header with a name longer than 20 characters, such as 
"Strict-Transport-Security" or "Access-Control-Allow-Origin"

What is the expected output? What do you see instead?
These headers are standard and not unsafe, so I expect them to pass validation, 
but they are blocked by what seems to be an arbitrary (and quite low) character 
limit of 20 characters.

What version of the product are you using? On what operating system?
2.1.0 (loaded using maven as dependency of project) because it appears to be 
the latest stable version as of 4/13/2014.
I am using Tomcat 7.0.41 on Linux, but in this case I think that's irrelevant.

Does this issue affect only a specified browser or set of browsers?
No.

Please provide any additional information below.
How can I modify this character limit without forking / modifying the source 
code? It appears to be hard-coded. Could this at least be increased to a higher 
default like 32 or 40?

Original issue reported on code.google.com by jac...@gmail.com on 13 Apr 2014 at 5:59