[ic] HTTP Response Splitting
dances_with_peons at live.com
Mon May 13 02:27:54 UTC 2013
>Sent: Saturday, May 11, 2013 4:41 PM
>Subject: Re: [ic] HTTP Response Splitting
>>> Am I safe from HTTP Response Splitting if I use [bounce]?
>> Mostly. The [bounce] tag removes \r and \n, and the URL-encoded versions
>> them, from URLs before it puts them into the header. Two other tag
>> attributes -- "target" and "status" do appear to make it into the header
>> unscrubbed. But as long as you don't let user input touch those (which
>> would be an outrageously bad idea anyway, for other reasons), you're
>You mentioned that "target" is not scrubbed but I think you mean
>"href"? If so, is "page" the only bounce attribute that is scrubbed?
I meant "target". Not sure where the attribute comes in, but it certainly
looks like a tag param, and determines the value of a 'Window-Target'
'href' is explicitly scrubbed, and 'page=XXXX' is just treated as
'href="[area XXXX]"' if there's not already an href. (That translation
happens before the scrubbing, so 'page' is effectively scrubbed too.)
More information about the interchange-users