[ic] HTTP Response Splitting
d davenport
dances_with_peons at live.com
Mon May 13 02:27:54 UTC 2013
>-----Original Message-----
>From: Grant
>Sent: Saturday, May 11, 2013 4:41 PM
>To: interchange-users
>Subject: Re: [ic] HTTP Response Splitting
>
>>> Am I safe from HTTP Response Splitting if I use [bounce]?
>>>
>>> http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
>>
>> Mostly. The [bounce] tag removes \r and \n, and the URL-encoded versions
>> of
>> them, from URLs before it puts them into the header. Two other tag
>> attributes -- "target" and "status" do appear to make it into the header
>> unscrubbed. But as long as you don't let user input touch those (which
>> would be an outrageously bad idea anyway, for other reasons), you're
>> fine.
>
>You mentioned that "target" is not scrubbed but I think you mean
>"href"? If so, is "page" the only bounce attribute that is scrubbed?
I meant "target". Not sure where the attribute comes in, but it certainly
looks like a tag param, and determines the value of a 'Window-Target'
header.
'href' is explicitly scrubbed, and 'page=XXXX' is just treated as
'href="[area XXXX]"' if there's not already an href. (That translation
happens before the scrubbing, so 'page' is effectively scrubbed too.)
https://github.com/interchange/interchange/blob/master/lib/Vend/Parse.pm#L748
/
More information about the interchange-users
mailing list