From: Greg W. (JIRA) <ji...@co...> - 2007-06-24 23:14:03
|
[ http://jira.codehaus.org/browse/JETTY-376?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_100468 ] Greg Wilkins commented on JETTY-376: ------------------------------------ the reason for this, is that there is plenty of code around that does something like: catch(Excpetion e) { response.sendError(500,e.toString()); } Now if the exception is something like UnknownUserExcpetion(String username) and an attacker provides a username that is xxx\r\n\r\nHTTP/1.0 200 OK\r\nContent-Length\r\n\r\nAnyContentTheyLike Then an attacker can inject an arbitrary content to be returned for the next request on the persistent connection. This is a real attack vector and Jetty has thus encoded reason strings since jetty 3 and the servlet spec has deprecated the method that allows a reason to be set. But the RFC excludes on CR and LF, so we are being a bit overzealous. So I will look at changing this in the next release. > Http Set Response method adds an extra underscore while sending the response > ---------------------------------------------------------------------------- > > Key: JETTY-376 > URL: http://jira.codehaus.org/browse/JETTY-376 > Project: Jetty > Issue Type: Bug > Components: HTTP > Reporter: Pankaj Arora > > I need to send some custom error messages to the client using Jetty. I saw in the code that setResponse message adds a underscore for each blank space entered in the custom message. > Is there any workaround for this or can it betaken care of as I don't want my custom messages to be modified by library in anyway as they are parsed by the client. > Code snippet from AbstractGenerator.java. > public void setResponse(int status, String reason) > { > if (_state != STATE_HEADER) throw new IllegalStateException("STATE!=START"); > _status = status; > if (reason!=null) > { > int len=reason.length(); > if (len>_headerBufferSize/2) > len=_headerBufferSize/2; > _reason=new ByteArrayBuffer(len); > for (int i=0;i<len;i++) > { > char ch = reason.charAt(i); > if (Character.isWhitespace(ch)) > _reason.put((byte)'_'); > else if (Character.isJavaIdentifierPart(ch)) > _reason.put((byte)ch); > } > } > } -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira |