Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.4.1
-
None
-
None
Description
The JsfUtils used in DeltaSpike URLEncode the values but not the keys. This allows header injection (see https://www.owasp.org/index.php/HTTP_Response_Splitting for more info on this attack type). As an example if I open a page without window ID and thus have a redirect by DefaultClientWindow.getOrCreateWindowId() in it:
/somepage.xhtml?%0aSet-Cookie:%20newcookie%3Dinjectme%0a
will cause the key side to be an unescaped part of the redirect URL and thus cause the cookie to be set. the encodeValues parameter should also cause the keys to be encoded as well.