From 89e32cfb780c5e40e4cbf07f4dcd3fb4bfd979f1 Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer <github@pcvolkmer.de>
Date: Fri, 18 Sep 2015 09:39:35 +0200
Subject: [PATCH] Fixed possible response splitting vulnerability

It generally might not occure but in some conditions the previous code
could be used to inject something into response by manipulating the
origin header to include some \n or \r.
These sequences should not occure in results CORS headers.

Patch replaces all \n or \r in origin header with a white space char.
Newer servlet containers like Tomcat 7.x fix this problem, but it might
be a good idea to fix this issue within ARSnova.

See: https://www.owasp.org/index.php/HTTP_Response_Splitting
---
 src/main/java/de/thm/arsnova/web/CorsFilter.java | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/main/java/de/thm/arsnova/web/CorsFilter.java b/src/main/java/de/thm/arsnova/web/CorsFilter.java
index a250689f2..96d935c07 100644
--- a/src/main/java/de/thm/arsnova/web/CorsFilter.java
+++ b/src/main/java/de/thm/arsnova/web/CorsFilter.java
@@ -41,9 +41,13 @@ public class CorsFilter extends OncePerRequestFilter {
 		response.addHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Requested-With");
 
 		if (request.getHeader("origin") != null) {
-			response.addHeader("Access-Control-Allow-Origin", request.getHeader("origin"));
+			response.addHeader("Access-Control-Allow-Origin", sanitizeOriginUrl(request.getHeader("origin")));
 		}
 
 		filterChain.doFilter(request, response);
 	}
+
+	private String sanitizeOriginUrl(String originUrl) {
+		return originUrl.replaceAll("[\n\r]+"," ");
+	}
 }
-- 
GitLab