[Esapi-user] SecurityWrapperResponse::addHeader too short
Greene, Geoffrey N
geoffrey.n.greene at boeing.com
Wed Jan 13 17:57:35 UTC 2016
Running ESAPI 2.1.0 in a spring security environment
I notice that SecurityWrapperResponse::setHeader has the following line in it:
String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", 20, false);
However, if the header name is "X-Content-Type-Options" (which is a legitimate Header name), this will fail (and does for me) because it is greater than 20 characters
Heck, Content-Security-Policy-Report-Only is 36 characters. 20 seems small, and relatively arbitrary
Is there any legitimate reason why this number is hardcoded? Spring-security uses the X-Content-Type-Options header when you have an xml file that looks like this:
I can override SecurityWrapperResponse, but I am a bit surprised that it is necessary.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user