fix another possible crlf injection, see issue #320

2026-03-31 01:10:19 +02:00 · 2013-01-28 13:20:22 +01:00
parent 500a082a3f
commit e8e288ccf0
3 changed files with 39 additions and 2 deletions
--- a/scm-core/src/main/java/sonia/scm/util/HttpUtil.java
+++ b/scm-core/src/main/java/sonia/scm/util/HttpUtil.java
@@ -243,7 +243,6 @@ public class HttpUtil
   *
   * @param parameter value
   *
-   * @return true if the request comes from the web interface.
   * @since 1.28
   */
  public static void checkForCRLFInjection(String parameter)
@@ -350,6 +349,22 @@ public class HttpUtil
    return url;
  }

+  /**
+   * Remove all chars from the given parameter, which could be used for
+   * CRLF injection attack. <stronng>Note:</strong> the current implementation
+   * the "%" char is also removed from the source parameter.
+   *
+   * @param parameter value
+   *
+   * @return the parameter value without crlf chars
+   *
+   * @since 1.28
+   */
+  public static String removeCRLFInjectionChars(String parameter)
+  {
+    return CRLF_CHARMATCHER.removeFrom(parameter);
+  }
+
  /**
   * Method description
   *