-
Notifications
You must be signed in to change notification settings - Fork 250
/
Header操作:Cookies
54 lines (54 loc) · 1.78 KB
/
Header操作:Cookies
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Cookies型HTTP头部操作,HTTP报头中存在用户输入的字符串,造成HTTP响应截断等攻击。
<b>修复建议</b>
1、在操作HTTP报头的Cookie时,所有写入该区域的值必须去除\r和\n字符(%0d%0a、%0D%0A)。
2、创建一份安全字符白名单或正则表达式,只接受完全由这些受认可的字符组成的输入出现在HTTP响应头文件中,例如HTTP头部只允许传入字母和数字。
<b>修复示例</b>
如:
<pre>
public void risk(HttpServletRequest request, HttpServletResponse response,
org.apache.log4j.Logger logger) {
try {
String author = request.getParameter(AUTHOR_PARAM);
Cookie cookie = new Cookie("author", author);
cookie.setMaxAge(cookieExpiration);
response.addCookie(cookie);
...
} catch (SQLException e) {
logger.warn(“Exception”, e);
}
}
</pre>
修复为:
<pre>
public void fix(HttpServletRequest request, HttpServletResponse response,
org.apache.log4j.Logger logger) {
try {
String author = request.getParameter(AUTHOR_PARAM);
author = author.replace("\r", "");
author = author.replace("\n", "");
String author = request.getParameter(AUTHOR_PARAM);
Cookie cookie = new Cookie("author", author);
cookie.setMaxAge(cookieExpiration);
response.addCookie(cookie);
...
} catch (SQLException e) {
logger.warn(“Exception”, e);
}
}
</pre>
或:
<pre>
public void fix(HttpServletRequest request, HttpServletResponse response,
org.apache.log4j.Logger logger) {
try {
String author = request.getParameter(AUTHOR_PARAM);
Cookie cookie = new Cookie("author", author);
cookie.setMaxAge(cookieExpiration);
if (Pattern.matches("[0-9A-Za-z]+", author)) {
response.addCookie(cookie);
}
} catch (SQLException e) {
logger.warn(“Exception”, e);
}
}
</pre>