[ic] HTTP Response Splitting
Grant
emailgrant at gmail.com
Mon May 13 17:25:54 UTC 2013
>>>> Am I safe from HTTP Response Splitting if I use [bounce]?
>>>>
>>>> http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
>>>
>>>
>>> Mostly. The [bounce] tag removes \r and \n, and the URL-encoded versions
>>> of
>>> them, from URLs before it puts them into the header. Two other tag
>>> attributes -- "target" and "status" do appear to make it into the header
>>> unscrubbed. But as long as you don't let user input touch those (which
>>> would be an outrageously bad idea anyway, for other reasons), you're
>>> fine.
>>
>>
>> You mentioned that "target" is not scrubbed but I think you mean
>> "href"? If so, is "page" the only bounce attribute that is scrubbed?
>
>
> I meant "target". Not sure where the attribute comes in, but it certainly
> looks like a tag param, and determines the value of a 'Window-Target'
> header.
> 'href' is explicitly scrubbed, and 'page=XXXX' is just treated as
> 'href="[area XXXX]"' if there's not already an href. (That translation
> happens before the scrubbing, so 'page' is effectively scrubbed too.)
>
> https://github.com/interchange/interchange/blob/master/lib/Vend/Parse.pm#L748
Got it, thanks for your help.
- Grant
More information about the interchange-users
mailing list