Search...
FAQs Subscribe
Pie
FAQs
Recent topics Flagged topics Hot topics Best topics
Search...
Search within Servlets Search Coderanch
Advance search Google search
Register / Login
thread boost granny book review grid polymorphism advertise on coderanch
Win a copy of OCP Oracle Certified Professional Java SE 21 Developer (Exam 1Z0-830) Java SE 17 Developer (Exam 1Z0-829) Programmer’s Guide this week in the Programmer Certification forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
thread boost meaningless drivel advertise on coderanch building better world book book review grid
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • paul wheaton
  • Ron McLeod
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Liutauras Vilda
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Carey Brown
  • Piet Souris
Bartenders:

How do I secure my response header from CRLF

 
ravisha andar
Ranch Hand
Posts: 55
posted 13 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Hi All,

If i have
response.setHeader("Content-Type--------- attchmenet filename="+fileName);

How do i secure this from CRLF ?

Some say validate input and encode the url.

How do I Encode the Url...

Please help me understand this better..........


Any help is highly appreciated !!!

Thanks.
 
Jeanne Boyarsky
author & internet detective
Posts: 42135
937
I like...
Eclipse IDE VI Editor Java
posted 13 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
The easies way is to not generate the filename from user data. Always provide your own default filename. This opens the download box on the user's browser with that suggested filename. At which point the user can change it to anything they like locally and you don't have to worry about a CRLF attack.

In other cases, CRLF attacks are more complicated, but it is easy to avoid in your example.

[OCP 21 book] | [OCP 17 book] | [OCP 11 book] | [OCA 8 book] [OCP 8 book] [Practice tests book] [Blog] [JavaRanch FAQ] [How To Ask Questions] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2

 
ravisha andar
Ranch Hand
Posts: 55
posted 13 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Thanks Jeanne Boyarsky

There is another scenario where I am sending the user entered input as well.

What should I do in that case.
 
Jeanne Boyarsky
author & internet detective
Posts: 42135
937
I like...
Eclipse IDE VI Editor Java
posted 13 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Don't. Seriously, if there is any way to avoid putting user input in the header, I'd do that. Option 2 is to provide a whitelist of characters that the user can enter so CR/LF characters don't show up. Option 3 is to use encoding/remove special characters.

[OCP 21 book] | [OCP 17 book] | [OCP 11 book] | [OCA 8 book] [OCP 8 book] [Practice tests book] [Blog] [JavaRanch FAQ] [How To Ask Questions] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2

 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
reply
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!
Similar Threads
More...