Package com.microstrategy.web.filter
Class CrlfResponseFilter
- java.lang.Object
-
- com.microstrategy.web.filter.CrlfResponseFilter
-
- All Implemented Interfaces:
javax.servlet.Filter
public class CrlfResponseFilter extends java.lang.Object implements javax.servlet.Filter
Centralized configuration of http response to avoid security issues. Fix: CWE-113 : Improper Neutralization of CRLF sequences in HTTP Headers (âHTTP Response splittingâ) When and why itâs happens? 1.While entering an data in an web application through an untrusted source, most frequently an HTTP requests. 2.This dataâs is included in an HTTP response header and again sent to an user without being validated for malicious character (CRLF). Impact: An hacker might able to perform cross site scripting, phishing and cache poisoning attacks. The request sent by the hacker can be cached and displayed to all the user of the website. An final result, he can able to steal an sensitive data and attack an users by using the data. To enable this filter, add (if not already) the following<filter>
declaration toWEB-INF/web.xml
:<web-app ...> ... <filter> <filter-name>crlfResponseFilter</filter-name> <filter-class>com.microstrategy.web.filter.CrlfResponseFilter</filter-class> </filter> <filter-mapping> <filter-name>crlfResponseFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
CrlfResponseFilter.CrlfResponseWrapper
-
Constructor Summary
Constructors Constructor Description CrlfResponseFilter()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description void
destroy()
void
doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
static boolean
getIsRemoveCrlf()
void
init(javax.servlet.FilterConfig filterConfig)
static void
setIsRemoveCrlf(boolean enableRemoveCrlf)
-
-
-
Method Detail
-
init
public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
- Specified by:
init
in interfacejavax.servlet.Filter
- Throws:
javax.servlet.ServletException
-
doFilter
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws java.io.IOException, javax.servlet.ServletException
- Specified by:
doFilter
in interfacejavax.servlet.Filter
- Throws:
java.io.IOException
javax.servlet.ServletException
-
destroy
public void destroy()
- Specified by:
destroy
in interfacejavax.servlet.Filter
-
setIsRemoveCrlf
public static void setIsRemoveCrlf(boolean enableRemoveCrlf)
-
getIsRemoveCrlf
public static boolean getIsRemoveCrlf()
-
-