Skip to content
This repository has been archived by the owner on Oct 1, 2018. It is now read-only.

Folded HTTP headers should not be used #75

Open
glassfishrobot opened this issue Sep 17, 2014 · 6 comments
Open

Folded HTTP headers should not be used #75

glassfishrobot opened this issue Sep 17, 2014 · 6 comments

Comments

@glassfishrobot
Copy link
Contributor

The original problem we encountered is this one: https://bugs.eclipse.org/bugs/show_bug.cgi?id=444222

As a colleague from the Jetty team clarified, the folded HTTP headers are forbidden: http://tools.ietf.org/html/rfc7230#section-3.2.4

However, the toString() method of com.sun.xml.messaging.saaj.packaging.mime.internet.ParameterList injects a \r\n\t to the Content-Type when it would exceed 76 characters.

This causes problems when SAAJ used together with Jetty.

Affected Versions

[current]

@glassfishrobot
Copy link
Contributor Author

Reported by ibrencsics

@glassfishrobot
Copy link
Contributor Author

Was assigned to gagordon

@glassfishrobot
Copy link
Contributor Author

gregwilkins said:
Note also that there is no provision in the servlet API to pass prefolded headers either in response.setContentType nor response.setHeader.

Any attempt to allow the injection of \r\n characters in header values would expose the server to significant security problems. For example if an attacker was able to influence a content type and/or header value to be something like: application/soap+xml; charset=utf-8; \r\nContent-Length:0\r\n\r\nHTTP/1.1 200 OK\r\n .... then responses could be injected.

We cannot rely on the application to provide the \t that turns a response injection attack into a folded header value.

@glassfishrobot
Copy link
Contributor Author

ibrencsics said:
There is almost no activity in this Jira. Is this the right place to announce SAAJ related bugs?

@glassfishrobot
Copy link
Contributor Author

slandro said:
Try the mailing list. That's what I did: [email protected]

@glassfishrobot
Copy link
Contributor Author

This issue was imported from java.net JIRA SAAJ-75

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant