Commits

Sebastian Sdorra committed 9138283

fix another possible crlf injection, see issue #320

Comments (0)

Files changed (3)

scm-core/src/main/java/sonia/scm/util/HttpUtil.java

    *
    * @param parameter value
    *
-   * @return true if the request comes from the web interface.
    * @since 1.28
    */
   public static void checkForCRLFInjection(String parameter)
   }
 
   /**
+   * Remove all chars from the given parameter, which could be used for
+   * CRLF injection attack. <stronng>Note:</strong> the current implementation
+   * the "%" char is also removed from the source parameter.
+   *
+   * @param parameter value
+   *
+   * @return the parameter value without crlf chars
+   *
+   * @since 1.28
+   */
+  public static String removeCRLFInjectionChars(String parameter)
+  {
+    return CRLF_CHARMATCHER.removeFrom(parameter);
+  }
+
+  /**
    * Method description
    *
    *

scm-core/src/test/java/sonia/scm/util/HttpUtilTest.java

     HttpUtil.checkForCRLFInjection("abcka");
   }
 
+  /**
+   * Method description
+   *
+   */
+  @Test
+  public void testRemoveCRLFInjectionChars()
+  {
+    assertEquals("any0D0A", HttpUtil.removeCRLFInjectionChars("any%0D%0A"));
+    assertEquals("123abc", HttpUtil.removeCRLFInjectionChars("123\nabc"));
+    assertEquals("123abc", HttpUtil.removeCRLFInjectionChars("123\r\nabc"));
+    assertEquals("123abc", HttpUtil.removeCRLFInjectionChars("123%abc"));
+    assertEquals("123abc", HttpUtil.removeCRLFInjectionChars("123abc"));
+    assertEquals("123", HttpUtil.removeCRLFInjectionChars("123"));
+
+  }
+
   //~--- get methods ----------------------------------------------------------
 
   /**

scm-webapp/src/main/java/sonia/scm/api/rest/resources/RepositoryResource.java

 
       output = new BrowserStreamingOutput(service, builder, path);
 
+     /**
+      * protection for crlf injection
+      * see https://bitbucket.org/sdorra/scm-manager/issue/320/crlf-injection-vulnerability-in-diff-api
+      */
+      path = HttpUtil.removeCRLFInjectionChars(path);
+      
       String contentDispositionName = getContentDispositionNameFromPath(path);
 
       response = Response.ok(output).header("Content-Disposition",
     AssertUtil.assertIsNotEmpty(revision);
 
     /**
-     * HttpUtil.checkForCRLFInjection(revision);
+     * check for a crlf injection attack
      * see https://bitbucket.org/sdorra/scm-manager/issue/320/crlf-injection-vulnerability-in-diff-api
      */
     HttpUtil.checkForCRLFInjection(revision);