• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How do I secure my response header from CRLF

 
ravisha andar
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

If i have
response.setHeader("Content-Type--------- attchmenet filename="+fileName);

How do i secure this from CRLF ?

Some say validate input and encode the url.

How do I Encode the Url...

Please help me understand this better..........


Any help is highly appreciated !!!

Thanks.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34974
379
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The easies way is to not generate the filename from user data. Always provide your own default filename. This opens the download box on the user's browser with that suggested filename. At which point the user can change it to anything they like locally and you don't have to worry about a CRLF attack.

In other cases, CRLF attacks are more complicated, but it is easy to avoid in your example.
 
ravisha andar
Ranch Hand
Posts: 55
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Jeanne Boyarsky

There is another scenario where I am sending the user entered input as well.

What should I do in that case.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34974
379
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Don't. Seriously, if there is any way to avoid putting user input in the header, I'd do that. Option 2 is to provide a whitelist of characters that the user can enter so CR/LF characters don't show up. Option 3 is to use encoding/remove special characters.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic