HTTP标头中CRLF序列的不正确中和 [英] Improper Neutralization of CRLF Sequences in HTTP Headers
本文介绍了HTTP标头中CRLF序列的不正确中和的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我在我的项目上运行了Veracode扫描,它在HTTP响应拆分下给了我CWE ID 113问题.我尝试通过那里的建议来解决该问题,但没有成功.例如
I ran Veracode scan on my project and it gave me CWE ID 113 issue under HTTP response splitting. I tried to resolve the issue with there recommendations but it did not work. e.g.
try
{
String selNhid = req.getParameter("selNhid");
String redirectURL = "/nhwhoods?action=membersNH&selNhid="+selNhid;
res.sendRedirect(req.getContextPath() + redirectURL);
}
catch (Exception e)
{
e.printStackTrace();
}
以上代码来自文件之一.并报告在行显示错误
above code is from one of the file. And report showing error at line
res.sendRedirect(req.getContextPath() + redirectURL);
任何建议,如何解决该问题?
Any suggestions, how to resolve the issue ?
推荐答案
selNhid缺少URL编码.
There is a missing URL encoding for the selNhid.
String redirectURL = "/nhwhoods?action=membersNH&selNhid="
+ URLEncoder.encode(selNhid, StandardCharsets.UTF_8);
以上假设您正在使用UTF-8.现在,令人讨厌的内容将以%XX个字节的形式撤防.
The above assumes you are working with UTF-8. Now nasty content will be disarmed as %XX bytes.
这篇关于HTTP标头中CRLF序列的不正确中和的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文