[jetty-discuss] [jira] Commented: (JETTY-376) Http Set Response method adds an extra underscore while sending the response

[Greg W. (JIRA) <ji...@co...>]

    [ http://jira.codehaus.org/browse/JETTY-376?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_100468 ] 

Greg Wilkins commented on JETTY-376:
------------------------------------


the reason for this, is that there is plenty of code around that does something like:


  catch(Excpetion e)
  {
     response.sendError(500,e.toString());
  }

Now if the exception is something like UnknownUserExcpetion(String username) 
and an attacker provides a username that is 

xxx\r\n\r\nHTTP/1.0 200 OK\r\nContent-Length\r\n\r\nAnyContentTheyLike

Then an attacker can inject an arbitrary content to be returned for the next request on 
the persistent connection.

This is a real attack vector and Jetty has thus encoded reason strings since jetty 3
and the servlet spec has deprecated the method that allows a reason to be set.

But the RFC excludes on CR and LF, so we are being a bit overzealous. So I will look
at changing this in the next release.








> Http Set Response method adds an extra underscore while sending the response
> ----------------------------------------------------------------------------
>
>                 Key: JETTY-376
>                 URL: http://jira.codehaus.org/browse/JETTY-376
>             Project: Jetty
>          Issue Type: Bug
>          Components: HTTP
>            Reporter: Pankaj Arora
>
> I need to send some custom error messages to the client using Jetty. I saw in the code that setResponse message adds a underscore for each blank space entered in the custom message.
> Is there any workaround for this or can it betaken care of as I don't want my custom messages to be modified by library in anyway as they are parsed by the client.
> Code snippet from AbstractGenerator.java.
>     public void setResponse(int status, String reason)
>     {
>         if (_state != STATE_HEADER) throw new IllegalStateException("STATE!=START");
>         _status = status;
>         if (reason!=null)
>         {
>             int len=reason.length();
>             if (len>_headerBufferSize/2)
>                 len=_headerBufferSize/2;
>             _reason=new ByteArrayBuffer(len);
>             for (int i=0;i<len;i++)
>             {
>                 char ch = reason.charAt(i);
>                 if (Character.isWhitespace(ch))
>                     _reason.put((byte)'_');
>                 else if (Character.isJavaIdentifierPart(ch))
>                     _reason.put((byte)ch);
>             }
>         }
>     }

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira