Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added fix-ups to the
Utilities/Adaptors
subfolders specifically to address a vulnerability in parsing, whereby an adversary can directly inject their own headers and content into the web requests going to the application (WO) servers behind the adaptor.The new code returns a
404
on any encounter of a0x0D
(carriage-return) or a0x0A
(line-feed) character in the adaptortranslate
functions, and the defined forbidden character set is written in such a way as to be expandable later as necessary. This behavior of returning a404
error mimics Apache's mitigation of the use of%2f
in request URLs.IMPORTANTLY: This URL cleanliness will not affect content within query strings usually, since those characters are not typically expanded by webserver software before reaching the adaptor interface.
Tested and operating in an active production scenario, filtering arbitrary HTTP header injection or URL-based reflection but maintaining normal operation as expected. The most recent commit addresses enabling the protection by default but provides the option to regress to the previous behavior in situations and deployments where it may be considered safe or necessary.
For more information about the problem being fixed, I will post a separate link to my blog for interested users.