Prevent HTTP Response splitting in case the server doesn't (#19611)7.6.3

Prevent user-provided input used in the redirect from containing newline
characters as the user agent would interpret subsequent parts of the
input as additional headers or the actual HTTP payload.

At least modern versions of Tomcat and Jetty already protect against
this kind of attack by escaping received header values, but that is not
necessarily the case for older versions or other servlet engines.

See https://www.owasp.org/index.php/HTTP_Response_Splitting for details.

Change-Id: I7a56fe2faeaa738aff964cf754e3f7b0f66181dc

1 files changed, 2 insertions, 0 deletions

diff --git a/server/src/com/vaadin/server/VaadinServlet.java b/server/src/com/vaadin/server/VaadinServlet.java
index e7799dac67..cd6e4cd7cd 100644
--- a/server/src/com/vaadin/server/VaadinServlet.java
+++ b/server/src/com/vaadin/server/VaadinServlet.java
@@ -403,6 +403,8 @@ public class VaadinServlet extends HttpServlet implements Constants {
             location = location + "/" + lastPathParameter;
             String queryString = request.getQueryString();
             if (queryString != null) {
+                // Prevent HTTP Response splitting in case the server doesn't
+                queryString = queryString.replaceAll("[\\r\\n]", "");
                 location += '?' + queryString;
             }
             response.sendRedirect(location);