如何修复“HTTP头中的CRLF序列的不正确中性化（'HTTP响应分裂'）” [英] How to fix "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')"

问题描述

运行VeraCode后，它在以下代码片段中报告了以下错误HTTP头中的CRLF序列的不当中和（'HTTP响应拆分'）：

After running VeraCode, it reported a following error "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')" in the following code fragment:

protected override void InitializeCulture() {
        //If true then setup the ability to have a different culture loaded
        if (AppSettings.SelectLanguageVisibility) {
            //Create cookie variable and check to see if that cookie exists and set it if it does.
            HttpCookie languageCookie = new HttpCookie("LanguageCookie");
            if (Request.Cookies["LanguageCookie"] != null)
                languageCookie = Request.Cookies["LanguageCookie"];

            //Check to see if the user is changing the language using a query string.
            if (Server.UrlDecode(Request.QueryString["l"]) != null)
                languageCookie.Value = Server.UrlDecode(Request.QueryString["l"]);

            //Check to make sure the cookie isn't null and set the culture variable to auto if it is and the value of the cookie if it isn't.
            if (languageCookie.Value == null)
                languageCookie.Value = string.Empty;

            string culture = languageCookie.Value.ToString();
            if (string.IsNullOrEmpty(culture))
                culture = "Auto";

            //Use to set the Culture and UI Culture.
            this.UICulture = culture;
            this.Culture = culture;
            if (culture != "Auto") {
                //If culture is changed set the new Current Culture and CurrentUICulture.
                System.Globalization.CultureInfo ci = new System.Globalization.CultureInfo(culture);
                System.Threading.Thread.CurrentThread.CurrentCulture = ci;
                System.Threading.Thread.CurrentThread.CurrentUICulture = ci;
            }

            //Update the cookie value with the new culture and initialize the culture.
            Response.Cookies.Set(languageCookie);
            Response.Cookies["LanguageCookie"].Expires = DateTime.Now.ToLocalTime().AddYears(1);
            Response.Cookies["LanguageCookie"].HttpOnly = true;
        }
        else {
            //Else keep language as English if localization is not enabled.
            this.UICulture = "en";
            this.Culture = "en";
        }

        base.InitializeCulture();
    }

报告指向包含以下代码的行： Response.Cookies .set（languageCookie）;
可以使用什么修复来消除该错误？

The report points to the line containing following code:Response.Cookies.Set(languageCookie); What fix can be used to eliminate that error?

谢谢

推荐答案

删除此问题的最简单的方法是使用esapi jar中存在的ESAPI httputilities。
你可以使用

The easiest way to remove this issue is to use ESAPI httputilities present in esapi jar. You can use

ESAPI.httpUtilities().setHeader(response,param,value);
ESAPI.httpUtilities().addCookies(response, param,value);

和其他任务的类似方法。您将需要在类路径中设置ESAPI.properrties。这是我们为Java实现的方式。相同的功能也可用于其他语言。

and similar methods for other tasks. You will need to have ESAPI.properrties set in you classpath. This is the way we implemented for Java. Same features are available for other languages too.

不需要额外的工作，它将解决veracode中的问题。

No additional work is required and it will solve the issue in veracode.

这篇关于如何修复“HTTP头中的CRLF序列的不正确中性化（'HTTP响应分裂'）”的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！