pit*_*kiy 5 c# cookies veracode
运行VeraCode后,它在以下代码片段中报告了以下错误“ HTTP标头中的CRLF序列未正确中和('HTTP响应拆分')”:
protected override void InitializeCulture() {
//If true then setup the ability to have a different culture loaded
if (AppSettings.SelectLanguageVisibility) {
//Create cookie variable and check to see if that cookie exists and set it if it does.
HttpCookie languageCookie = new HttpCookie("LanguageCookie");
if (Request.Cookies["LanguageCookie"] != null)
languageCookie = Request.Cookies["LanguageCookie"];
//Check to see if the user is changing the language using a query string.
if (Server.UrlDecode(Request.QueryString["l"]) != null)
languageCookie.Value = Server.UrlDecode(Request.QueryString["l"]);
//Check to make sure the cookie isn't null and set the culture variable to auto if it is and the value of the cookie if it isn't.
if (languageCookie.Value == null)
languageCookie.Value = string.Empty;
string culture = languageCookie.Value.ToString();
if (string.IsNullOrEmpty(culture))
culture = "Auto";
//Use to set the Culture and UI Culture.
this.UICulture = culture;
this.Culture = culture;
if (culture != "Auto") {
//If culture is changed set the new Current Culture and CurrentUICulture.
System.Globalization.CultureInfo ci = new System.Globalization.CultureInfo(culture);
System.Threading.Thread.CurrentThread.CurrentCulture = ci;
System.Threading.Thread.CurrentThread.CurrentUICulture = ci;
}
//Update the cookie value with the new culture and initialize the culture.
Response.Cookies.Set(languageCookie);
Response.Cookies["LanguageCookie"].Expires = DateTime.Now.ToLocalTime().AddYears(1);
Response.Cookies["LanguageCookie"].HttpOnly = true;
}
else {
//Else keep language as English if localization is not enabled.
this.UICulture = "en";
this.Culture = "en";
}
base.InitializeCulture();
}
该报告指向包含以下代码的行:Response.Cookies.Set(languageCookie); 可以使用哪种修补程序消除该错误?
谢谢
我相信问题是因为线路
languageCookie.Value = Server.UrlDecode(Request.QueryString["l"]);
接受(不受信任的)用户输入(即Request.QueryString["l"])。尝试添加一个函数调用以从该查询字符串参数中删除任何回车符或换行符(包括它们的编码等效项,如%0d和),然后再将其存储在 中。%0alanguageCookie
例如,您可以尝试将该行更改为:
languageCookie.Value = Server.UrlDecode(Request.QueryString["l"])
.Replace("\r", string.Empty)
.Replace("%0d", string.Empty)
.Replace("%0D", string.Empty)
.Replace("\n", string.Empty)
.Replace("%0a", string.Empty)
.Replace("%0A", string.Empty);
尽管这可能应该清理一下(我现在不是 C# 程序员)。
也可以看看
消除此问题的最简单方法是使用 esapi jar 中存在的 ESAPI httputilities。您可以使用
ESAPI.httpUtilities().setHeader(response,param,value);
ESAPI.httpUtilities().addCookies(response, param,value);
和其他任务的类似方法。您需要在类路径中设置 ESAPI.properrties。这是我们为 Java 实现的方式。同样的功能也适用于其他语言。
不需要额外的工作,它将在 veracode 中解决问题。
| 归档时间: |
|
| 查看次数: |
14107 次 |
| 最近记录: |