HTTP标头中CRLF序列的不正确中和 [英] Improper Neutralization of CRLF Sequences in HTTP Headers

问题描述

我在我的项目上运行了Veracode扫描，它在HTTP响应拆分下给了我CWE ID 113问题.我尝试通过那里的建议来解决该问题，但没有成功.例如

I ran Veracode scan on my project and it gave me CWE ID 113 issue under HTTP response splitting. I tried to resolve the issue with there recommendations but it did not work. e.g.

try
    {
        String selNhid = req.getParameter("selNhid");
        String redirectURL = "/nhwhoods?action=membersNH&selNhid="+selNhid;
         res.sendRedirect(req.getContextPath() + redirectURL);
    }
    catch (Exception e)
    {
        e.printStackTrace();
    }

以上代码来自文件之一.并报告在行显示错误

above code is from one of the file. And report showing error at line

res.sendRedirect(req.getContextPath() + redirectURL);

任何建议，如何解决该问题?

Any suggestions, how to resolve the issue ?

推荐答案

selNhid缺少URL编码.

There is a missing URL encoding for the selNhid.

String redirectURL = "/nhwhoods?action=membersNH&selNhid="
        + URLEncoder.encode(selNhid, StandardCharsets.UTF_8);

以上假设您正在使用UTF-8.现在，令人讨厌的内容将以％XX个字节的形式撤防.

The above assumes you are working with UTF-8. Now nasty content will be disarmed as %XX bytes.

这篇关于HTTP标头中CRLF序列的不正确中和的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！