c# – 如何解决“HTTP头中CRLF序列的不正确中和(‘HTTP响应分裂

发布时间：2020-12-16 02:00:16 所属栏目：百科来源：网络整理

导读：运行VeraCode后,它在以下代码片段中报告了以下错误“HTTP标头中的CRLF序列的不正确中和(‘HTTP响应拆分’)”： protected override void InitializeCulture() { //If true then setup the ability to have a different culture loaded if (AppSettings.Selec

运行VeraCode后,它在以下代码片段中报告了以下错误“HTTP标头中的CRLF序列的不正确中和(‘HTTP响应拆分’)”：

protected override void InitializeCulture() {
        //If true then setup the ability to have a different culture loaded
        if (AppSettings.SelectLanguageVisibility) {
            //Create cookie variable and check to see if that cookie exists and set it if it does.
            HttpCookie languageCookie = new HttpCookie("LanguageCookie");
            if (Request.Cookies["LanguageCookie"] != null)
                languageCookie = Request.Cookies["LanguageCookie"];

            //Check to see if the user is changing the language using a query string.
            if (Server.UrlDecode(Request.QueryString["l"]) != null)
                languageCookie.Value = Server.UrlDecode(Request.QueryString["l"]);

            //Check to make sure the cookie isn't null and set the culture variable to auto if it is and the value of the cookie if it isn't.
            if (languageCookie.Value == null)
                languageCookie.Value = string.Empty;

            string culture = languageCookie.Value.ToString();
            if (string.IsNullOrEmpty(culture))
                culture = "Auto";

            //Use to set the Culture and UI Culture.
            this.UICulture = culture;
            this.Culture = culture;
            if (culture != "Auto") {
                //If culture is changed set the new Current Culture and CurrentUICulture.
                System.Globalization.CultureInfo ci = new System.Globalization.CultureInfo(culture);
                System.Threading.Thread.CurrentThread.CurrentCulture = ci;
                System.Threading.Thread.CurrentThread.CurrentUICulture = ci;
            }

            //Update the cookie value with the new culture and initialize the culture.
            Response.Cookies.Set(languageCookie);
            Response.Cookies["LanguageCookie"].Expires = DateTime.Now.ToLocalTime().AddYears(1);
            Response.Cookies["LanguageCookie"].HttpOnly = true;
        }
        else {
            //Else keep language as English if localization is not enabled.
            this.UICulture = "en";
            this.Culture = "en";
        }

        base.InitializeCulture();
    }

该报告指向包含以下代码的行：Response.Cookies.Set(languageCookie);
可以使用什么修复来消除该错误？

谢谢

解决方法

我相信问题是因为这条线

languageCookie.Value = Server.UrlDecode(Request.QueryString["l"]);

接受(不可信)用户输入(即Request.QueryString [“l”]).
尝试添加函数调用以删除任何回车符或换行符(包括其编码的等效项,如r?和
)将该查询字符串参数存储在languageCookie之前.

例如,您可以尝试将该行更改为：

languageCookie.Value = Server.UrlDecode(Request.QueryString["l"])
                         .Replace("r",string.Empty)
                         .Replace("%0d",string.Empty)
                         .Replace("%0D",string.Empty)
                         .Replace("n",string.Empty)
                         .Replace("%0a",string.Empty)
                         .Replace("%0A",string.Empty);

虽然这应该可以清理一下(我现在不是C#程序员).

也可以看看

> http://en.wikipedia.org/wiki/HTTP_response_splitting
> http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
> https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OWASP-DV-016)

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!