在HTTP标头（CWE ID 113）

Question

人对如何解决这个问题Veracode的想法CRLF序列（CWE 113）的中和不当

我已经尝试下面的链接，但它不工作。

Fix for CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

下面是我有问题的功能。

protected void Page_Load(object sender, EventArgs e) 
     { 
      _presenter = new VwCSVPresenter(this); 
      this._presenter.OnViewLoaded(); 

      Response.ContentType = CONTENT_TYPE; 
      Response.Clear(); 
      if (!string.IsNullOrEmpty(this.FileName)) 
      { 
       // name the local file the user will download 
       var localFileName = Request.QueryString[QS_MODULE]; 
       //test1: var localFileName = Regex.Replace(Request.QueryString[QS_MODULE], @"\n|\r|%0d|%0D|%0a|%0A", string.Empty); 
       //test2: tried the same with string Replace eg: 
       //var localFileName = Request.QueryString[QS_MODULE].Replace("\r", string.Empty) 
           //.Replace("%0d", string.Empty) 
           //.Replace("%0D", string.Empty) 
           //.Replace("\n", string.Empty) 
           //.Replace("%0a", string.Empty) 
           //.Replace("%0A", string.Empty); 

       if (!string.IsNullOrEmpty(localFileName)) 
        localFileName += CSV_EXTENSION; 

       Response.AppendHeader(HTTP_HEADER_CONTENT_NAME, string.Format(HTTP_HEADER_CONTENT_VALUE, localFileName)); 
       Response.TransmitFile(this.FileName); 
      } 
      Response.End(); 
     } 

Answer 1

我有固定我的问题通过为localFieName添加Server.UrlEncode()和Varacode清除错误。

Response.AppendHeader(HTTP_HEADER_CONTENT_NAME, string.Format(HTTP_HEADER_CONTENT_VALUE, Server.UrlEncode(localFileName)));