aboutsummaryrefslogtreecommitdiffstats
path: root/server
diff options
context:
space:
mode:
authorLeif Åstrand <leif@vaadin.com>2014-12-10 10:49:45 +0200
committerHenri Sara <hesara@vaadin.com>2016-02-17 12:41:08 +0000
commit29808ef9272457f8eb25f140280d0e2833af8cbf (patch)
tree7bbe5e77cce8fd6d0e3ff81229975267be101b56 /server
parentcb5500f9a839f1f8c235d4581b663303da3f26f6 (diff)
downloadvaadin-framework-29808ef9272457f8eb25f140280d0e2833af8cbf.tar.gz
vaadin-framework-29808ef9272457f8eb25f140280d0e2833af8cbf.zip
Prevent HTTP Response splitting in case the server doesn't (#19611)
Prevent user-provided input used in the redirect from containing newline characters as the user agent would interpret subsequent parts of the input as additional headers or the actual HTTP payload. At least modern versions of Tomcat and Jetty already protect against this kind of attack by escaping received header values, but that is not necessarily the case for older versions or other servlet engines. See https://www.owasp.org/index.php/HTTP_Response_Splitting for details. Change-Id: If4b9bf5fba953073de49c1ab1cba8e5e6bc8e546
Diffstat (limited to 'server')
-rw-r--r--server/src/com/vaadin/server/VaadinServlet.java2
1 files changed, 2 insertions, 0 deletions
diff --git a/server/src/com/vaadin/server/VaadinServlet.java b/server/src/com/vaadin/server/VaadinServlet.java
index e7799dac67..cd6e4cd7cd 100644
--- a/server/src/com/vaadin/server/VaadinServlet.java
+++ b/server/src/com/vaadin/server/VaadinServlet.java
@@ -403,6 +403,8 @@ public class VaadinServlet extends HttpServlet implements Constants {
location = location + "/" + lastPathParameter;
String queryString = request.getQueryString();
if (queryString != null) {
+ // Prevent HTTP Response splitting in case the server doesn't
+ queryString = queryString.replaceAll("[\\r\\n]", "");
location += '?' + queryString;
}
response.sendRedirect(location);