C# “如何修复”;HTTP头中CRLF序列的不正确中和(“HTTP响应拆分”);
运行VeraCode后,它在以下代码片段中报告了以下错误“HTTP头中CRLF序列的不正确中和('HTTP响应拆分'):C# “如何修复”;HTTP头中CRLF序列的不正确中和(“HTTP响应拆分”);,c#,cookies,veracode,C#,Cookies,Veracode,运行VeraCode后,它在以下代码片段中报告了以下错误“HTTP头中CRLF序列的不正确中和('HTTP响应拆分'): protected override void InitializeCulture() { //If true then setup the ability to have a different culture loaded if (AppSettings.SelectLanguageVisibility) { //C
protected override void InitializeCulture() {
//If true then setup the ability to have a different culture loaded
if (AppSettings.SelectLanguageVisibility) {
//Create cookie variable and check to see if that cookie exists and set it if it does.
HttpCookie languageCookie = new HttpCookie("LanguageCookie");
if (Request.Cookies["LanguageCookie"] != null)
languageCookie = Request.Cookies["LanguageCookie"];
//Check to see if the user is changing the language using a query string.
if (Server.UrlDecode(Request.QueryString["l"]) != null)
languageCookie.Value = Server.UrlDecode(Request.QueryString["l"]);
//Check to make sure the cookie isn't null and set the culture variable to auto if it is and the value of the cookie if it isn't.
if (languageCookie.Value == null)
languageCookie.Value = string.Empty;
string culture = languageCookie.Value.ToString();
if (string.IsNullOrEmpty(culture))
culture = "Auto";
//Use to set the Culture and UI Culture.
this.UICulture = culture;
this.Culture = culture;
if (culture != "Auto") {
//If culture is changed set the new Current Culture and CurrentUICulture.
System.Globalization.CultureInfo ci = new System.Globalization.CultureInfo(culture);
System.Threading.Thread.CurrentThread.CurrentCulture = ci;
System.Threading.Thread.CurrentThread.CurrentUICulture = ci;
}
//Update the cookie value with the new culture and initialize the culture.
Response.Cookies.Set(languageCookie);
Response.Cookies["LanguageCookie"].Expires = DateTime.Now.ToLocalTime().AddYears(1);
Response.Cookies["LanguageCookie"].HttpOnly = true;
}
else {
//Else keep language as English if localization is not enabled.
this.UICulture = "en";
this.Culture = "en";
}
base.InitializeCulture();
}
谢谢我认为问题在于线路
languageCookie.Value = Server.UrlDecode(Request.QueryString["l"]);
Request.QueryString[“l”]languageCookie%0d%0alanguageCookie.Value = Server.UrlDecode(Request.QueryString["l"])
.Replace("\r", string.Empty)
.Replace("%0d", string.Empty)
.Replace("%0D", string.Empty)
.Replace("\n", string.Empty)
.Replace("%0a", string.Empty)
.Replace("%0A", string.Empty);
- 消除此问题的最简单方法是使用ESAPI jar中的ESAPI httputilities。
你可以用
ESAPI.httpUtilities().setHeader(response,param,value);
ESAPI.httpUtilities().addCookies(response, param,value);
response.setHeader(headerKey,headerValue);
response.addHeader(headerKey, headerValue);
DefaultHTTPUtilities httpUtilities = new DefaultHTTPUtilities();
httpUtilities.setHeader(headerKey,headerValue);
httpUtilities.addHeader(response, headerKey,headerValue);
一个使用StringUtils替换所有导致CRLF的字符的行程序。它对我有用
StringUtils.replaceach(strForCRLF,新字符串[]{“\n”、“\r”、“%0d”、“%0d”、“%0a”、“%0a”},新字符串[]{“、”、“”、“”、“”、“”、“}) 当配置选项EnableHeaderChecking为true(默认值)时,ASP.Net将自动检查响应头并对CRLF字符进行编码,这看起来像是误报。这从.Net framework的2.0版开始提供,还将保护响应头不受cookie名称中存在的CRLF字符的影响 参考资料:
- (尽管这个答案是针对java的,但它包含了到认可的消毒剂列表的链接,包括C#)
<httpCookies httpOnlyCookies="true"/>
什么是DefaultHTTPUtilities对象?它在哪个图书馆?它是第三方对象吗?开源?这里有一个问题,setHeader和addHeader中headerKey的长度都受到硬编码的限制,setHeader是50,addHeader是20。但是我想添加一个长度超过20…的头,它总是失败。即使我覆盖了addHeader,response.addHeader也会触发veracode问题……有什么想法吗?这个“答案”看起来像是从veracode的文档中复制并粘贴的。你在这里提供了什么新的信息?我知道这是一个老问题,但假设你找到了一个解决方案,如果你能将一个答案标记为已接受,那就太好了。(如果没有合适的,那么您可以添加自己的并选择一个。)这是java。C#不使用ESAPI。是的,它是Java,也许我们需要在这里进行衍生。无论如何,addCookie的当前签名是:ESAPI.httpUtilities().addCookie(响应,cookie)@devwebcl:我正在准备.NET的派生库:)请在ESAPI.jar for Java中找到最新的方法;1.添加Cookie(Cookie Cookie)2。addCookie(HttpServletResponse,Cookie Cookie)
HttpCookie cookies=new HttpCookies("key",Sanitizer.GetSafeHtml(value));