ICEfaces
  1. ICEfaces
  2. ICE-8548

Ensure header text does not corrupt the HTTP response

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: EE-1.8.2.GA_P03
          • Fix Version/s: EE-1.8.2.GA_P05
          • Component/s: Framework
          • Labels:
            None
          • Environment:
            ICEfaces
          • Assignee Priority:
            P2

            Description


            HTTP headers are set in the following lines of code

            ServletExternalContext.java:295
            ServletRequestResponse.java:245
            ServletRequestResponse.java:249

            This header text must be escaped or trimmed to ensure that the resulting header does not corrupt the HTTP response.

              Activity

              Ascending order - Click to sort in descending order
              Ted Goddard created issue -
              Ted Goddard made changes -
              Field Original Value New Value
              Salesforce Case []
              Arran Mccullough made changes -
              Salesforce Case [5007000000O8ixC]
              Hide
              Permalink
              Jack Van Ooststroom added a comment - - edited

              According to RFC 2616 Section 4.2:

              OCTET = <any 8-bit sequence of data>
              CTL = <any US-ASCII control character
              (octets 0 - 31) and DEL (127)>
              CR = <US-ASCII CR, carriage return (13)>
              LF = <US-ASCII LF, linefeed (10)>
              SP = <US-ASCII SP, space (32)>
              HT = <US-ASCII HT, horizontal-tab (9)>
              CRLF = CR LF
              LWS = [CRLF] 1*( SP | HT )
              TEXT = <any OCTET except CTLs,
              but including LWS>
              token = 1*<any CHAR except CTLs or separators>
              separators = "(" | ")" | "<" | ">" | "@"
              | "," | ";" | ":" | "\" | <">
              | "/" | "[" | "]" | "?" | "="
              | "

              {" | "}

              " | SP | HT
              quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
              qdtext = <any TEXT except <">>
              quoted-pair = "\" CHAR
              field-value = *( field-content | LWS )
              field-content = <the OCTETs making up the field-value
              and consisting of either *TEXT or combinations
              of token, separators, and quoted-string>
              (Restricted to faces-core group)

              Show
              Jack Van Ooststroom added a comment - - edited According to RFC 2616 Section 4.2: OCTET = <any 8-bit sequence of data> CTL = <any US-ASCII control character (octets 0 - 31) and DEL (127)> CR = <US-ASCII CR, carriage return (13)> LF = <US-ASCII LF, linefeed (10)> SP = <US-ASCII SP, space (32)> HT = <US-ASCII HT, horizontal-tab (9)> CRLF = CR LF LWS = [CRLF] 1*( SP | HT ) TEXT = <any OCTET except CTLs, but including LWS> token = 1*<any CHAR except CTLs or separators> separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> | "/" | " [" | "] " | "?" | "=" | " {" | "} " | SP | HT quoted-string = ( <"> *(qdtext | quoted-pair ) <"> ) qdtext = <any TEXT except <">> quoted-pair = "\" CHAR field-value = *( field-content | LWS ) field-content = <the OCTETs making up the field-value and consisting of either *TEXT or combinations of token, separators, and quoted-string> (Restricted to faces-core group)
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #31785 Fri Oct 26 08:46:13 MDT 2012 jack.van.ooststroom Fixed JIRA ICE-8548 : Ensure header text does not corrupt the HTTP response
              Files Changed
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/servlet/ServletRequestResponse.java
              Commit graph MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/servlet/ServletExternalContext.java
              Hide
              Permalink
              Jack Van Ooststroom added a comment - - edited

              The HEADER_FIXER is now replaced by an instance of HttpMessageHeaderValueValidator. A warning is logged when invalid characters are being used in the HTTP message header value and the value is not being added as a result of it. Marking this one as FIXED.

              Show
              Jack Van Ooststroom added a comment - - edited The HEADER_FIXER is now replaced by an instance of HttpMessageHeaderValueValidator. A warning is logged when invalid characters are being used in the HTTP message header value and the value is not being added as a result of it. Marking this one as FIXED.
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #31815 Mon Oct 29 11:54:00 MDT 2012 jack.van.ooststroom Fixed JIRA ICE-8548 : Ensure header text does not corrupt the HTTP response
              Files Changed
              Commit graph ADD /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/servlet/HttpMessageHeaderValueValidator.java
              Migration made changes -
              Assignee Jack Van Ooststroom [ jack.van.ooststroom ]
              Assignee Priority P2 [ 10011 ]
              Migration made changes -
              Status Open [ 1 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Ken Fyten made changes -
              Status Resolved [ 5 ] Closed [ 6 ]

                People

                • Assignee:
                  Jack Van Ooststroom
                  Reporter:
                  Ted Goddard
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: