Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MNT-20202 Improper Neutralization of CRLF Sequences in HTTP Headers #5

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -1,27 +1,28 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.springframework.extensions.surf.mvc;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.extensions.surf.uri.UriUtils;

import org.springframework.extensions.surf.util.UserInputValidator;

/**
* Responds to Login POSTs to allow the user to authenticate to the application.
Expand All @@ -45,6 +46,9 @@ protected void onSuccess(HttpServletRequest request, HttpServletResponse respons
String successPage = (String) request.getParameter(LoginController.PARAM_SUCCESS);
if (successPage != null)
{
// MNT-20202: neutralize redirect url from front end
// LM_2019-01-30
successPage = UserInputValidator.validateRedirectUrl(successPage);
response.sendRedirect(UriUtils.relativeUri(successPage));
}
else
Expand All @@ -70,6 +74,9 @@ protected void onFailure(HttpServletRequest request, HttpServletResponse respons
request.getSession().invalidate();
if (failurePage != null)
{
// MNT-20202: neutralize redirect url from front end
// LM_2019-01-30
failurePage = UserInputValidator.validateRedirectUrl(failurePage);
response.sendRedirect(UriUtils.relativeUri(failurePage));
}
else
Expand Down
Original file line number Diff line number Diff line change
@@ -1,31 +1,34 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/

package org.springframework.extensions.surf.mvc;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.owasp.esapi.ESAPI;
import org.springframework.extensions.surf.site.AuthenticationUtil;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.AbstractController;

import org.springframework.extensions.surf.util.UserInputValidator;

/**
* Listen for call from a client to log the user out from the current session.
*
Expand Down Expand Up @@ -65,7 +68,10 @@ public ModelAndView handleRequestInternal(HttpServletRequest request, HttpServle
redirectURL = redirectURL + delim + keys[i] + "=" + values[i];
}
}
response.setHeader("Location", redirectURL);
//response.setHeader("Location", redirectURL);
// MNT-20202: Add a header to the response after ensuring that there are no encoded or illegal characters in the name and name and value
// LM_2019-01-30
ESAPI.httpUtilities().addHeader(response, "Location", redirectURL);
}
else
{
Expand Down
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
/*
* Copyright (C) 2005-2015 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/

package org.springframework.extensions.surf.site;
Expand All @@ -23,6 +23,7 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.owasp.esapi.ESAPI;
import org.springframework.extensions.surf.UserFactory;
import org.springframework.extensions.surf.support.AbstractUserFactory;
import org.springframework.extensions.surf.util.URLEncoder;
Expand Down Expand Up @@ -103,7 +104,10 @@ public static void login(HttpServletRequest request, HttpServletResponse respons
userCookie = new Cookie(COOKIE_ALFUSER, URLEncoder.encode(userId));
userCookie.setPath(request.getContextPath());
userCookie.setMaxAge(TIMEOUT);
response.addCookie(userCookie);
//response.addCookie(userCookie);
// MNT-20202: sanitize the cookies with ESAPI before adding to response
// LM_2019-01-30
ESAPI.httpUtilities().addCookie(response, userCookie);
}
}
}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package org.springframework.extensions.surf.util;

/**
* Custom Class to neutralize user input
* MNT-20202 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') CWE ID 113
* LM_2019-01-30
*/
public class UserInputValidator {

public static String validateRedirectUrl(String url) {

if (url != null) {
//TODO: to externalize characters to remove
//https://stackoverflow.com/questions/21993290/how-to-fix-improper-neutralization-of-crlf-sequences-in-http-headers-http-res
url = url.replace("\r", "")
.replace("%0d", "")
.replace("%0D", "")
.replace("\n", "")
.replace("%0a", "")
.replace("%0A", "");
}

return url;
}

}
Loading