This week's giveaway is in the EJB and other Java EE Technologies forum.
We're giving away four copies of EJB 3 in Action and have Debu Panda, Reza Rahman, Ryan Cuprak, and Michael Remijan on-line!
See this thread for details.
The moose likes Servlets and the fly likes How do I secure my response header from CRLF Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How do I secure my response header from CRLF" Watch "How do I secure my response header from CRLF" New topic
Author

How do I secure my response header from CRLF

ravisha andar
Ranch Hand

Joined: Feb 25, 2011
Posts: 55
Hi All,

If i have
response.setHeader("Content-Type--------- attchmenet filename="+fileName);

How do i secure this from CRLF ?

Some say validate input and encode the url.

How do I Encode the Url...

Please help me understand this better..........


Any help is highly appreciated !!!

Thanks.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 29219
    
135

The easies way is to not generate the filename from user data. Always provide your own default filename. This opens the download box on the user's browser with that suggested filename. At which point the user can change it to anything they like locally and you don't have to worry about a CRLF attack.

In other cases, CRLF attacks are more complicated, but it is easy to avoid in your example.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
ravisha andar
Ranch Hand

Joined: Feb 25, 2011
Posts: 55
Thanks Jeanne Boyarsky

There is another scenario where I am sending the user entered input as well.

What should I do in that case.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 29219
    
135

Don't. Seriously, if there is any way to avoid putting user input in the header, I'd do that. Option 2 is to provide a whitelist of characters that the user can enter so CR/LF characters don't show up. Option 3 is to use encoding/remove special characters.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How do I secure my response header from CRLF
 
Similar Threads
Securing the response from CRLF
sending image to server using HTTP connection
how to encode the url in strut2
regex question
encoding URL in (href element of) JSP without scriptlets