Introduced protections against HTTP header injection / smuggling attacks

2025-08-26 14:19:24 +00:00 · 2025-07-10 15:43:28 +00:00 · 2025-07-10 15:43:28 +00:00 · 7782407394
commit 7782407394
parent 977f91b0bc
1 changed files with 2 additions and 1 deletions
--- a/proprietary/src/main/java/stirling/software/proprietary/security/service/JWTService.java
+++ b/proprietary/src/main/java/stirling/software/proprietary/security/service/JWTService.java
@ -1,5 +1,6 @@
 package stirling.software.proprietary.security.service;

+import io.github.pixee.security.Newlines;
 import java.security.KeyPair;
 import java.util.Date;
 import java.util.HashMap;
@ -150,7 +151,7 @@ public class JWTService implements JWTServiceInterface {

    @Override
    public void addTokenToResponse(HttpServletResponse response, String token) {
-        response.setHeader(AUTHORIZATION_HEADER, BEARER_PREFIX + token);
+        response.setHeader(AUTHORIZATION_HEADER, Newlines.stripAll(BEARER_PREFIX + token));

        ResponseCookie cookie =
                ResponseCookie.from(JWT_COOKIE_NAME, token)