c# – 如何解决“HTTP头中CRLF序列的不正确中和(‘HTTP响应分裂’)”

概述运行VeraCode后,它在以下代码片段中报告了以下错误“HTTP标头中的CRLF序列的不正确中和(‘HTTP响应拆分’)”： protected override void InitializeCulture() { //If true then setup the ability to have a different culture loaded if (Ap 运行VeraCode后,它在以下代码片段中报告了以下错误“http标头中的CRLF序列的不正确中和(‘http响应拆分’)”：

protected overrIDe voID InitializeCulture() {        //If true then setup the ability to have a different culture loaded        if (AppSettings.SelectLanguageVisibility) {            //Create cookie variable and check to see if that cookie exists and set it if it does.            httpcookie languagecookie = new httpcookie("Languagecookie");            if (Request.cookies["Languagecookie"] != null)                languagecookie = Request.cookies["Languagecookie"];            //Check to see if the user is changing the language using a query string.            if (Server.UrlDecode(Request.queryString["l"]) != null)                languagecookie.Value = Server.UrlDecode(Request.queryString["l"]);            //Check to make sure the cookie isn't null and set the culture variable to auto if it is and the value of the cookie if it isn't.            if (languagecookie.Value == null)                languagecookie.Value = string.Empty;            string culture = languagecookie.Value.ToString();            if (string.IsNullOrEmpty(culture))                culture = "auto";            //Use to set the Culture and UI Culture.            this.UICulture = culture;            this.Culture = culture;            if (culture != "auto") {                //If culture is changed set the new Current Culture and CurrentUICulture.                System.Globalization.CultureInfo ci = new System.Globalization.CultureInfo(culture);                System.Threading.Thread.CurrentThread.CurrentCulture = ci;                System.Threading.Thread.CurrentThread.CurrentUICulture = ci;            }            //Update the cookie value with the new culture and initialize the culture.            Response.cookies.Set(languagecookie);            Response.cookies["Languagecookie"].Expires = DateTime.Now.TolocalTime().AddYears(1);            Response.cookies["Languagecookie"].httpOnly = true;        }        else {            //Else keeP Language as English if localization is not enabled.            this.UICulture = "en";            this.Culture = "en";        }        base.InitializeCulture();    }

该报告指向包含以下代码的行：Response.cookies.Set(languagecookie);
可以使用什么修复来消除该错误？

谢谢

解决方法 我相信问题是因为这条线

languagecookie.Value = Server.UrlDecode(Request.queryString["l"]);

接受(不可信)用户输入(即Request.queryString [“l”]).
尝试添加函数调用以删除任何回车符或换行符(包括其编码的等效项,如\r 和
)将该查询字符串参数存储在languagecookie之前.

例如,您可以尝试将该行更改为：

languagecookie.Value = Server.UrlDecode(Request.queryString["l"])                         .Replace("\r",string.Empty)                         .Replace("%0d",string.Empty)                         .Replace("%0D",string.Empty)                         .Replace("\n",string.Empty)                         .Replace("%0a",string.Empty)                         .Replace("%0A",string.Empty);

虽然这应该可以清理一下(我现在不是C#程序员).

也可以看看

> http://en.wikipedia.org/wiki/HTTP_response_splitting
> http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
> https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OWASP-DV-016)

总结

以上是内存溢出为你收集整理的c# – 如何解决“HTTP头中CRLF序列的不正确中和(‘HTTP响应分裂’)”全部内容，希望文章能够帮你解决c# – 如何解决“HTTP头中CRLF序列的不正确中和(‘HTTP响应分裂’)”所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错，欢迎将内存溢出网站推荐给程序员好友。