HTTP Headers (CWE ID 113) 中 CRLF 序列的不当中和
Improper Neutralization of CRLF Sequences in HTTP Headers (CWE ID 113)
任何人都知道如何解决这个 veracode 问题 (CWE 113)
我已经在下面尝试过 link 但它不起作用。
下面是我遇到问题的函数。
protected void Page_Load(object sender, EventArgs e)
{
_presenter = new VwCSVPresenter(this);
this._presenter.OnViewLoaded();
Response.ContentType = CONTENT_TYPE;
Response.Clear();
if (!string.IsNullOrEmpty(this.FileName))
{
// name the local file the user will download
var localFileName = Request.QueryString[QS_MODULE];
//test1: var localFileName = Regex.Replace(Request.QueryString[QS_MODULE], @"\n|\r|%0d|%0D|%0a|%0A", string.Empty);
//test2: tried the same with string Replace eg:
//var localFileName = Request.QueryString[QS_MODULE].Replace("\r", string.Empty)
//.Replace("%0d", string.Empty)
//.Replace("%0D", string.Empty)
//.Replace("\n", string.Empty)
//.Replace("%0a", string.Empty)
//.Replace("%0A", string.Empty);
if (!string.IsNullOrEmpty(localFileName))
localFileName += CSV_EXTENSION;
Response.AppendHeader(HTTP_HEADER_CONTENT_NAME, string.Format(HTTP_HEADER_CONTENT_VALUE, localFileName));
Response.TransmitFile(this.FileName);
}
Response.End();
}
我已通过为 localFieName 添加 Server.UrlEncode() 解决了我的问题,Varacode 清除了错误。
Response.AppendHeader(HTTP_HEADER_CONTENT_NAME, string.Format(HTTP_HEADER_CONTENT_VALUE, Server.UrlEncode(localFileName)));
任何人都知道如何解决这个 veracode 问题 (CWE 113)
我已经在下面尝试过 link 但它不起作用。
下面是我遇到问题的函数。
protected void Page_Load(object sender, EventArgs e)
{
_presenter = new VwCSVPresenter(this);
this._presenter.OnViewLoaded();
Response.ContentType = CONTENT_TYPE;
Response.Clear();
if (!string.IsNullOrEmpty(this.FileName))
{
// name the local file the user will download
var localFileName = Request.QueryString[QS_MODULE];
//test1: var localFileName = Regex.Replace(Request.QueryString[QS_MODULE], @"\n|\r|%0d|%0D|%0a|%0A", string.Empty);
//test2: tried the same with string Replace eg:
//var localFileName = Request.QueryString[QS_MODULE].Replace("\r", string.Empty)
//.Replace("%0d", string.Empty)
//.Replace("%0D", string.Empty)
//.Replace("\n", string.Empty)
//.Replace("%0a", string.Empty)
//.Replace("%0A", string.Empty);
if (!string.IsNullOrEmpty(localFileName))
localFileName += CSV_EXTENSION;
Response.AppendHeader(HTTP_HEADER_CONTENT_NAME, string.Format(HTTP_HEADER_CONTENT_VALUE, localFileName));
Response.TransmitFile(this.FileName);
}
Response.End();
}
我已通过为 localFieName 添加 Server.UrlEncode() 解决了我的问题,Varacode 清除了错误。
Response.AppendHeader(HTTP_HEADER_CONTENT_NAME, string.Format(HTTP_HEADER_CONTENT_VALUE, Server.UrlEncode(localFileName)));