Folded HTTP headers should not be used

[glassfishrobot]

The original problem we encountered is this one: https://bugs.eclipse.org/bugs/show_bug.cgi?id=444222

As a colleague from the Jetty team clarified, the folded HTTP headers are forbidden: http://tools.ietf.org/html/rfc7230#section-3.2.4

However, the toString() method of com.sun.xml.messaging.saaj.packaging.mime.internet.ParameterList injects a \r\n\t to the Content-Type when it would exceed 76 characters.

This causes problems when SAAJ used together with Jetty.

Affected Versions

[current]

[glassfishrobot]

Reported by ibrencsics

[glassfishrobot]

Was assigned to gagordon

[glassfishrobot]

gregwilkins said:
Note also that there is no provision in the servlet API to pass prefolded headers either in response.setContentType nor response.setHeader.

Any attempt to allow the injection of \r\n characters in header values would expose the server to significant security problems. For example if an attacker was able to influence a content type and/or header value to be something like: application/soap+xml; charset=utf-8; \r\nContent-Length:0\r\n\r\nHTTP/1.1 200 OK\r\n .... then responses could be injected.

We cannot rely on the application to provide the \t that turns a response injection attack into a folded header value.

[glassfishrobot]

ibrencsics said:
There is almost no activity in this Jira. Is this the right place to announce SAAJ related bugs?

[glassfishrobot]

slandro said:
Try the mailing list. That's what I did: users@saaj.java.net

[glassfishrobot]

This issue was imported from java.net JIRA SAAJ-75