[Esapi-user] SecurityWrapperResponse::addHeader too short

Kevin W. Wall kevin.w.wall at gmail.com
Wed Jan 13 19:47:07 UTC 2016


This was just updated in a recent commit I pushed to GitHub which fixed an
issue related to this.

No new release for it yet, but you can grab it from GitHub and build ESAPI
yourself if you need it badly.

-kevin
Sent from my Droid; please excuse typos.
On Jan 13, 2016 1:01 PM, "Greene, Geoffrey N" <geoffrey.n.greene at boeing.com>
wrote:

> Hi!
>
> Running ESAPI 2.1.0 in a spring security environment
>
>
>
> I notice that SecurityWrapperResponse::setHeader has the following line in
> it:
>
>
>
> String safeName = ESAPI.*validator*().getValidInput("addHeader",
> strippedName, "HTTPHeaderName", 20, *false*);
>
>
>
> However, if the header name is “X-Content-Type-Options” (which is a
> legitimate Header name), this will fail (and does for me) because it is
> greater than 20 characters
>
> Heck, Content-Security-Policy-Report-Only is 36 characters.  20 seems
> small, and relatively arbitrary
>
>
>
> Is there any legitimate reason why this number is hardcoded?
> Spring-security uses the X-Content-Type-Options header when you have an xml
> file that looks like this:
>
>
>
> <security:headers>
>
>     <security:content-type-options />
>
> </security:headers>
>
>
>
>
>
> I can override SecurityWrapperResponse, but I am a bit surprised that it
> is necessary.
>
>
>
> Thanks
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20160113/075b3087/attachment.html>


More information about the Esapi-user mailing list