HTTP标头中CRLF序列的不正确中和("HTTP响应拆分") [英] Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

问题描述

在研发之后，我没有解决此问题.请找到下面的代码，并帮助我解决这个veracode缺陷.

After R&D i didn't solution to this.Please find below piece of code and help me with this veracode flaw.

Response.AppendHeader("Content-Disposition"," attachment; filename = " + Session["user_id"] + "_makler.pdf");

说明-函数调用包含HTTP响应拆分漏洞.将未经消毒的用户提供的输入写入HTTP标头 允许攻击者操纵浏览器呈现的HTTP响应，从而导致缓存中毒和跨站 脚本攻击.

DESCRIPTION - A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks.

推荐答案

您可以对用户输入进行编码，并且此问题将得到解决.

You can encode the user input and this will be fixed.

Response.AppendHeader("Content-Disposition"," attachment; filename = " + Server.UrlEncode(Session["user_id"]) + "_makler.pdf");

这篇关于HTTP标头中CRLF序列的不正确中和("HTTP响应拆分")的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！