问题
After R&D i didn't solution to this.Please find below piece of code and help me with this veracode flaw.
Response.AppendHeader("Content-Disposition"," attachment; filename = " + Session["user_id"] + "_makler.pdf");
DESCRIPTION - A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks.
回答1:
You can encode the user input and this will be fixed.
Response.AppendHeader("Content-Disposition"," attachment; filename = " + Server.UrlEncode(Session["user_id"]) + "_makler.pdf");
回答2:
It is simple issue just add
Session["user_id"].ToString().Replace("\n",String.Empty).Replace("\r",String.Empty)
来源:https://stackoverflow.com/questions/31117558/improper-neutralization-of-crlf-sequences-in-http-headers-http-response-splitt