Tapestry 5
  1. Tapestry 5
  2. TAP5-1004

X-Tapestry-ErrorMessage may lead to HTTP Response Splitting

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 5.1.0.5
    • Fix Version/s: 5.2.1
    • Component/s: tapestry-core
    • Labels:
      None

      Description

      The DefaultRequestExceptionHandler sets the X-Tapestry-ErrorMessage header but fails to sanitize or encode the error message. This enables an attacker to inject malicious HTTP headers or to provide a 2nd HTTP response.

        Activity

        Hide
        Hudson added a comment -

        Integrated in tapestry-5.2-freestyle #196 (See https://hudson.apache.org/hudson/job/tapestry-5.2-freestyle/196/)
        TAP5-1004: URLEncode the exception message encoded as a response header and decode it on the client before displaying it to the user

        Show
        Hudson added a comment - Integrated in tapestry-5.2-freestyle #196 (See https://hudson.apache.org/hudson/job/tapestry-5.2-freestyle/196/ ) TAP5-1004 : URLEncode the exception message encoded as a response header and decode it on the client before displaying it to the user
        Hide
        Howard M. Lewis Ship added a comment -

        Where this fix will help is when the message contains unescaped HTML characters. Those will be converted to %xx values, which helps. We then unencode them on the client side, and escapeHTML() before writing the error or debug message. Such messages now appear correctly to the user.

        Show
        Howard M. Lewis Ship added a comment - Where this fix will help is when the message contains unescaped HTML characters. Those will be converted to %xx values, which helps. We then unencode them on the client side, and escapeHTML() before writing the error or debug message. Such messages now appear correctly to the user.
        Hide
        Howard M. Lewis Ship added a comment -

        I'm not sure this occurs, at least not with Jetty (I haven't tried with Tomcat). I'm seeing the whitespace in the message reduced.

        Show
        Howard M. Lewis Ship added a comment - I'm not sure this occurs, at least not with Jetty (I haven't tried with Tomcat). I'm seeing the whitespace in the message reduced.
        Hide
        Paul Rehrl added a comment - - edited

        A blank line (2 '\n') separates the body from the HTTP Header. Therefore one is able to provide the error document and start a whole new HTTP header.

        I think the error message should be URL encoded (http://en.wikipedia.org/wiki/Percent-encoding). URL encoding leaves no problematic characters and the Javascript function unescape() will decode it.

        Show
        Paul Rehrl added a comment - - edited A blank line (2 '\n') separates the body from the HTTP Header. Therefore one is able to provide the error document and start a whole new HTTP header. I think the error message should be URL encoded ( http://en.wikipedia.org/wiki/Percent-encoding ). URL encoding leaves no problematic characters and the Javascript function unescape() will decode it.
        Hide
        Denis Delangle added a comment -

        Futhermore, the X-Tapestry-ErrorMessage is written before the "Content-Encoding gzip" header, so response is displayed compressed or not displayed at all.

        If the exception message contains 2 "\n", header is not well formed.

        For instance, a page with this content fails to display the error page with Firefox :

        @SetupRender
        public void testError() throws Exception

        { String message = "titi \n toto \n"; throw new Exception(message); }

        The response headers under firebug are

        Date Tue, 23 Feb 2010 14:14:35 GMT
        Server Jetty/5.1.x (Mac OS X/10.6.2 x86_64 java/1.6.0_17
        X-Tapestry-ErrorMessage Render queue error in SetupRender[report/test/Page]: java.lang.Exception: titi toto

        If I execute the test with only one "\n", the error page is well displayed :

        @SetupRender
        public void testError() throws Exception

        { String message = "titi \n toto"; throw new Exception(message); }

        The response headers are :

        Date Tue, 23 Feb 2010 14:21:29 GMT
        Server Jetty/5.1.x (Mac OS X/10.6.2 x86_64 java/1.6.0_17
        X-Tapestry-ErrorMessage Render queue error in SetupRender[report/test/Page]: java.lang.Exception: titi toto
        Content-Type text/html;charset=UTF-8
        Content-Encoding gzip
        Transfer-Encoding chunked

        Show
        Denis Delangle added a comment - Futhermore, the X-Tapestry-ErrorMessage is written before the "Content-Encoding gzip" header, so response is displayed compressed or not displayed at all. If the exception message contains 2 "\n", header is not well formed. For instance, a page with this content fails to display the error page with Firefox : @SetupRender public void testError() throws Exception { String message = "titi \n toto \n"; throw new Exception(message); } The response headers under firebug are Date Tue, 23 Feb 2010 14:14:35 GMT Server Jetty/5.1.x (Mac OS X/10.6.2 x86_64 java/1.6.0_17 X-Tapestry-ErrorMessage Render queue error in SetupRender [report/test/Page] : java.lang.Exception: titi toto If I execute the test with only one "\n", the error page is well displayed : @SetupRender public void testError() throws Exception { String message = "titi \n toto"; throw new Exception(message); } The response headers are : Date Tue, 23 Feb 2010 14:21:29 GMT Server Jetty/5.1.x (Mac OS X/10.6.2 x86_64 java/1.6.0_17 X-Tapestry-ErrorMessage Render queue error in SetupRender [report/test/Page] : java.lang.Exception: titi toto Content-Type text/html;charset=UTF-8 Content-Encoding gzip Transfer-Encoding chunked

          People

          • Assignee:
            Howard M. Lewis Ship
            Reporter:
            Paul Rehrl
          • Votes:
            2 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development