From 8881266e84fa8fbefc1c7c922e45df6b3ac7b9bd Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Mon, 15 Apr 2024 19:07:58 +0000 Subject: [PATCH] Introduced protections against HTTP header injection / smuggling attacks --- .../src/main/java/jodd/htmlstapler/HtmlStaplerFilter.java | 7 ++++--- .../src/main/java/jodd/madvoc/scope/HeaderScope.java | 3 ++- .../src/main/java/jodd/servlet/DispatcherUtil.java | 3 ++- jodd-servlet/src/main/java/jodd/servlet/ServletUtil.java | 5 +++-- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/jodd-htmlstapler/src/main/java/jodd/htmlstapler/HtmlStaplerFilter.java b/jodd-htmlstapler/src/main/java/jodd/htmlstapler/HtmlStaplerFilter.java index ed4feb145..8d9fd48bf 100644 --- a/jodd-htmlstapler/src/main/java/jodd/htmlstapler/HtmlStaplerFilter.java +++ b/jodd-htmlstapler/src/main/java/jodd/htmlstapler/HtmlStaplerFilter.java @@ -25,6 +25,7 @@ package jodd.htmlstapler; +import io.github.pixee.security.Newlines; import jodd.bean.BeanUtil; import jodd.io.IOUtil; import jodd.lagarto.TagVisitor; @@ -202,11 +203,11 @@ protected boolean processActionPath(final HttpServletRequest servletRequest, fin throw new IOException("bundle not found: " + bundleId); } - servletResponse.setHeader("Content-Length", String.valueOf(file.length())); - servletResponse.setHeader("Last-Modified", TimeUtil.formatHttpDate(file.lastModified())); + servletResponse.setHeader("Content-Length", Newlines.stripAll(String.valueOf(file.length()))); + servletResponse.setHeader("Last-Modified", Newlines.stripAll(TimeUtil.formatHttpDate(file.lastModified()))); if (cacheMaxAge > 0) { - servletResponse.setHeader("Cache-Control", "max-age=" + cacheMaxAge); + servletResponse.setHeader("Cache-Control", Newlines.stripAll("max-age=" + cacheMaxAge)); } sendBundleFile(servletResponse, file); diff --git a/jodd-madvoc/src/main/java/jodd/madvoc/scope/HeaderScope.java b/jodd-madvoc/src/main/java/jodd/madvoc/scope/HeaderScope.java index 6b94329da..a0e8c34c8 100644 --- a/jodd-madvoc/src/main/java/jodd/madvoc/scope/HeaderScope.java +++ b/jodd-madvoc/src/main/java/jodd/madvoc/scope/HeaderScope.java @@ -25,6 +25,7 @@ package jodd.madvoc.scope; +import io.github.pixee.security.Newlines; import jodd.madvoc.ActionRequest; import jodd.madvoc.config.Targets; @@ -81,7 +82,7 @@ public void outject(final ActionRequest actionRequest, final Targets targets) { targets.forEachTargetAndOut(this, (target, out) -> { final String value = (String) target.readValue(out); if (value != null) { - servletResponse.setHeader(out.name(), value); + servletResponse.setHeader(out.name(), Newlines.stripAll(value)); } }); } diff --git a/jodd-servlet/src/main/java/jodd/servlet/DispatcherUtil.java b/jodd-servlet/src/main/java/jodd/servlet/DispatcherUtil.java index d83531af0..b541e4efe 100644 --- a/jodd-servlet/src/main/java/jodd/servlet/DispatcherUtil.java +++ b/jodd-servlet/src/main/java/jodd/servlet/DispatcherUtil.java @@ -25,6 +25,7 @@ package jodd.servlet; +import io.github.pixee.security.Newlines; import jodd.util.StringPool; import javax.servlet.RequestDispatcher; @@ -170,7 +171,7 @@ public static void redirectPermanent(final HttpServletRequest request, final Htt url = ServletUtil.getContextPath(request) + url; } response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); - response.setHeader("Location", url); + response.setHeader("Location", Newlines.stripAll(url)); } diff --git a/jodd-servlet/src/main/java/jodd/servlet/ServletUtil.java b/jodd-servlet/src/main/java/jodd/servlet/ServletUtil.java index c4d3991e9..de99779d6 100644 --- a/jodd-servlet/src/main/java/jodd/servlet/ServletUtil.java +++ b/jodd-servlet/src/main/java/jodd/servlet/ServletUtil.java @@ -25,6 +25,7 @@ package jodd.servlet; +import io.github.pixee.security.Newlines; import jodd.core.JoddCore; import jodd.http.upload.FileUpload; import jodd.io.FileNameUtil; @@ -145,7 +146,7 @@ public static String resolveAuthBearerToken(final HttpServletRequest request) { * Sends correct headers to require basic authentication for the given realm. */ public static void requireAuthentication(final HttpServletResponse resp, final String realm) throws IOException { - resp.setHeader(WWW_AUTHENTICATE, "Basic realm=\"" + realm + '\"'); + resp.setHeader(WWW_AUTHENTICATE, Newlines.stripAll("Basic realm=\"" + realm + '\"')); resp.sendError(HttpServletResponse.SC_UNAUTHORIZED); } @@ -200,7 +201,7 @@ public static void prepareResponse(final HttpServletResponse response, final Str final String encodedFileName = URLCoder.encode(name); response.setHeader(CONTENT_DISPOSITION, - "attachment;filename=\"" + name + "\";filename*=utf8''" + encodedFileName); + Newlines.stripAll("attachment;filename=\"" + name + "\";filename*=utf8''" + encodedFileName)); } }