From fa2352e7bba168ce21f63ccdb59cce70e69b0b98 Mon Sep 17 00:00:00 2001 From: Andrew Jorgensen Date: Thu, 21 Aug 2008 16:51:54 +0000 Subject: Merge fix for Bug 418620 - Sys.Web is prone to "HTTP header injection" attacks svn path=/branches/mono-1-9-1-1/mcs/; revision=111276 --- .../System.Web/System.Web.Configuration/ChangeLog | 6 +++ .../System.Web.Configuration/HttpRuntimeConfig.cs | 4 +- mcs/class/System.Web/System.Web/ChangeLog | 6 +++ .../System.Web/System.Web/HttpResponseHeader.cs | 50 +++++++++++++++++++++- 4 files changed, 64 insertions(+), 2 deletions(-) diff --git a/mcs/class/System.Web/System.Web.Configuration/ChangeLog b/mcs/class/System.Web/System.Web.Configuration/ChangeLog index 818436edf34..b51712504f9 100644 --- a/mcs/class/System.Web/System.Web.Configuration/ChangeLog +++ b/mcs/class/System.Web/System.Web.Configuration/ChangeLog @@ -1,3 +1,9 @@ +2008-08-20 Marek Habersack + + * HttpRuntimeConfig.cs: implemented the undocumented (but + supported in .NET 1.1) option EnableHeaderChecking to support fix + for bug #416620 + 2008-02-28 Marek Habersack * HandlerFactoryConfiguration.cs: ignore case when matching diff --git a/mcs/class/System.Web/System.Web.Configuration/HttpRuntimeConfig.cs b/mcs/class/System.Web/System.Web.Configuration/HttpRuntimeConfig.cs index 88c1405f8ea..b2b7f77ed2d 100644 --- a/mcs/class/System.Web/System.Web.Configuration/HttpRuntimeConfig.cs +++ b/mcs/class/System.Web/System.Web.Configuration/HttpRuntimeConfig.cs @@ -55,7 +55,8 @@ namespace System.Web.Configuration public int IdleTimeout = 20; // minutes public bool Enable = true; public string VersionHeader; - + public bool EnableHeaderChecking = true; + /* Only the config. handler should create instances of this. Use GetInstance (context) */ public HttpRuntimeConfig (object p) { @@ -92,6 +93,7 @@ namespace System.Web.Configuration RequireRootSaveAsPath = parent.RequireRootSaveAsPath; IdleTimeout = parent.IdleTimeout; Enable = parent.Enable; + EnableHeaderChecking = parent.EnableHeaderChecking; } } } diff --git a/mcs/class/System.Web/System.Web/ChangeLog b/mcs/class/System.Web/System.Web/ChangeLog index f4a311a5a4f..d1950416c49 100644 --- a/mcs/class/System.Web/System.Web/ChangeLog +++ b/mcs/class/System.Web/System.Web/ChangeLog @@ -1,3 +1,9 @@ +2008-08-20 Marek Habersack + + * HttpResponseHeader.cs: encode header values if + httpRuntime.enableHeaderChecking is true (default). Fixes bug + #418620 + 2008-04-15 Kornél Pál * HttpRuntime.cs: Don't add Date header for error pages either. Fixes bug diff --git a/mcs/class/System.Web/System.Web/HttpResponseHeader.cs b/mcs/class/System.Web/System.Web/HttpResponseHeader.cs index 82e30af95db..5f34ec4d392 100644 --- a/mcs/class/System.Web/System.Web/HttpResponseHeader.cs +++ b/mcs/class/System.Web/System.Web/HttpResponseHeader.cs @@ -30,17 +30,65 @@ using System.Collections; using System.Text; +using System.Web.Configuration; namespace System.Web { internal abstract class BaseResponseHeader { - public string Value; + string headerValue; + + public string Value { + get { return headerValue; } + set { headerValue = EncodeHeader (value); } + } + static bool headerCheckingEnabled; + + static BaseResponseHeader () { +#if NET_2_0 + HttpRuntimeSection section = WebConfigurationManager.GetSection ("system.web/httpRuntime") as HttpRuntimeSection; +#else + HttpRuntimeConfig section = HttpContext.GetAppConfig ("system.web/httpRuntime") as HttpRuntimeConfig; +#endif + headerCheckingEnabled = section == null || section.EnableHeaderChecking; + } + + internal BaseResponseHeader (string val) { Value = val; } + string EncodeHeader (string value) + { + if (value == null || value.Length == 0) + return value; + + if (headerCheckingEnabled) { + StringBuilder ret = new StringBuilder (); + int len = value.Length; + + for (int i = 0; i < len; i++) { + switch (value [i]) { + case '\r': + ret.Append ("%0d"); + break; + + case '\n': + ret.Append ("%0a"); + break; + + default: + ret.Append (value [i]); + break; + } + } + + return ret.ToString (); + } else + return value; + } + internal abstract void SendContent (HttpWorkerRequest wr); } -- cgit v1.2.3