HTTP response splitting attack prevention

[tiwatsuka]

Summary

When a user set http header value containing CR/LF, the http response is split.
https://www.owasp.org/index.php/HTTP_Response_Splitting

Of course, users should validate the value to avoid this kind of problems.
However, it's worth to provide measures from framework for careless users.

I think HttpFirewall is suitable place to remove CR/LF in header.

Actual Behavior

HttpHeaders headers = new HttpHeaders();
headers.add("abc", "abc¥r¥nContent-Length:100¥r¥n¥r¥n ...");

abc: abc
Content-Length: 100

... ### Expected Behavior

HttpHeaders headers = new HttpHeaders();
headers.add("abc", "abc¥r¥nContent-Length:100¥r¥n¥r¥n ...");

abc: abc Content-Length: 100 ...

[rwinch]

Thanks for the report. Can you expand on this issue? What are the steps you take to reproduce it?

[tiwatsuka]

I'm sorry. I accidentally submitted before writing description.

According to my investigation, some application servers remove CR/LF by default. But not all.
I confirmed that Undertow does not do it.

[rwinch]

@tiwatsuka And how are you able to perform response splitting? Is your application allowing user provided input as the value of the HTTP Response headers? Are you finding Spring Security is doing this? Please elaborate.

[tiwatsuka]

I assume that some careless developers use user input as value of the headers without validation.
I think that any CR/LF in the value of the HTTP response headers have to be trimmed off. Isn't it nice if Spring Security do it by default?

At org.springframework.security.web.firewall.FirewalledResponse#sendRedirect, the argument is checked whether it does not contain CR/LF.
Similarly, the value of header can be checked at addHeader and setHeader.

[rwinch]

@tiwatsuka Thanks for the response. Thanks for explaining the context (I was trying to determine if this was a new feature or a bug).

This would be nice. Would you be interested in providing a pull request?

[eddumelendez]

@rwinch method addHeader is part of OnCommittedResponseWrapper but setHeader is part of MessageBuilder which is in spring-messaging artifact. Should MessageBuilder manage the same behavior?