Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||
ResponseSplittingPreventer |
|
| 1.625;1.625 | ||||
ResponseSplittingPreventer$1 |
|
| 1.625;1.625 | ||||
ResponseSplittingPreventer$ResponseSplittingPreventingResponse |
|
| 1.625;1.625 |
1 | /* | |
2 | * Copyright (c) 2003-2011, Simon Brown | |
3 | * All rights reserved. | |
4 | * | |
5 | * Redistribution and use in source and binary forms, with or without | |
6 | * modification, are permitted provided that the following conditions are met: | |
7 | * | |
8 | * - Redistributions of source code must retain the above copyright | |
9 | * notice, this list of conditions and the following disclaimer. | |
10 | * | |
11 | * - Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in | |
13 | * the documentation and/or other materials provided with the | |
14 | * distribution. | |
15 | * | |
16 | * - Neither the name of Pebble nor the names of its contributors may | |
17 | * be used to endorse or promote products derived from this software | |
18 | * without specific prior written permission. | |
19 | * | |
20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
21 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE | |
24 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
25 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
26 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |
27 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | |
28 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
29 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
30 | * POSSIBILITY OF SUCH DAMAGE. | |
31 | */ | |
32 | package net.sourceforge.pebble.web.filter; | |
33 | ||
34 | import javax.servlet.*; | |
35 | import javax.servlet.http.HttpServletResponse; | |
36 | import javax.servlet.http.HttpServletResponseWrapper; | |
37 | import java.io.IOException; | |
38 | ||
39 | /** | |
40 | * Filter that protects against HTTP response splitting | |
41 | * | |
42 | * @author James Roper | |
43 | */ | |
44 | 24 | public class ResponseSplittingPreventer implements Filter { |
45 | public void init(FilterConfig filterConfig) throws ServletException { | |
46 | 0 | } |
47 | ||
48 | public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { | |
49 | 24 | if (servletResponse instanceof HttpServletResponse) { |
50 | 24 | servletResponse = new ResponseSplittingPreventingResponse((HttpServletResponse) servletResponse); |
51 | } | |
52 | 24 | filterChain.doFilter(servletRequest, servletResponse); |
53 | 12 | } |
54 | ||
55 | public void destroy() { | |
56 | 0 | } |
57 | ||
58 | 24 | private static class ResponseSplittingPreventingResponse extends HttpServletResponseWrapper { |
59 | private ResponseSplittingPreventingResponse(HttpServletResponse response) { | |
60 | 24 | super(response); |
61 | 24 | } |
62 | ||
63 | @Override | |
64 | public void setHeader(String name, String value) { | |
65 | 8 | super.setHeader(name, check(value)); |
66 | 4 | } |
67 | ||
68 | @Override | |
69 | public void addHeader(String name, String value) { | |
70 | 8 | super.addHeader(name, check(value)); |
71 | 4 | } |
72 | ||
73 | @Override | |
74 | public void sendRedirect(String location) throws IOException { | |
75 | 8 | super.sendRedirect(check(location)); |
76 | 4 | } |
77 | ||
78 | private String check(String value) { | |
79 | 96 | for (int i = 0; i < value.length(); i++) { |
80 | 84 | char c = value.charAt(i); |
81 | 84 | if (c == '\n' || c == '\r') { |
82 | 12 | throw new IllegalArgumentException("Carriage return and line feed characters are not allowed in HTTP headers"); |
83 | } | |
84 | } | |
85 | 12 | return value; |
86 | } | |
87 | } | |
88 | } |