[ic] HTTP Response Splitting

Grant emailgrant at gmail.com
Mon May 13 17:25:54 UTC 2013

>>>> Am I safe from HTTP Response Splitting if I use [bounce]?
>>>> http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
>>> Mostly.  The [bounce] tag removes \r and \n, and the URL-encoded versions
>>> of
>>> them, from URLs before it puts them into the header.  Two other tag
>>> attributes -- "target" and "status" do appear to make it into the header
>>> unscrubbed.  But as long as you don't let user input touch those (which
>>> would be an outrageously bad idea anyway, for other reasons), you're
>>> fine.
>> You mentioned that "target" is not scrubbed but I think you mean
>> "href"?  If so, is "page" the only bounce attribute that is scrubbed?
> I meant "target".  Not sure where the attribute comes in, but it certainly
> looks like a tag param, and determines the value of a 'Window-Target'
> header.
> 'href' is explicitly scrubbed, and 'page=XXXX' is just treated as
> 'href="[area XXXX]"' if there's not already an href.  (That translation
> happens before the scrubbing, so 'page' is effectively scrubbed too.)
> https://github.com/interchange/interchange/blob/master/lib/Vend/Parse.pm#L748

Got it, thanks for your help.

- Grant

More information about the interchange-users mailing list