c# - How to fix "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')"

Question

After running VeraCode, it reported a following error "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')" in the following code fragment:

protected override void InitializeCulture() {
        //If true then setup the ability to have a different culture loaded
        if (AppSettings.SelectLanguageVisibility) {
            //Create cookie variable and check to see if that cookie exists and set it if it does.
            HttpCookie languageCookie = new HttpCookie("LanguageCookie");
            if (Request.Cookies["LanguageCookie"] != null)
                languageCookie = Request.Cookies["LanguageCookie"];

            //Check to see if the user is changing the language using a query string.
            if (Server.UrlDecode(Request.QueryString["l"]) != null)
                languageCookie.Value = Server.UrlDecode(Request.QueryString["l"]);

            //Check to make sure the cookie isn't null and set the culture variable to auto if it is and the value of the cookie if it isn't.
            if (languageCookie.Value == null)
                languageCookie.Value = string.Empty;

            string culture = languageCookie.Value.ToString();
            if (string.IsNullOrEmpty(culture))
                culture = "Auto";

            //Use to set the Culture and UI Culture.
            this.UICulture = culture;
            this.Culture = culture;
            if (culture != "Auto") {
                //If culture is changed set the new Current Culture and CurrentUICulture.
                System.Globalization.CultureInfo ci = new System.Globalization.CultureInfo(culture);
                System.Threading.Thread.CurrentThread.CurrentCulture = ci;
                System.Threading.Thread.CurrentThread.CurrentUICulture = ci;
            }

            //Update the cookie value with the new culture and initialize the culture.
            Response.Cookies.Set(languageCookie);
            Response.Cookies["LanguageCookie"].Expires = DateTime.Now.ToLocalTime().AddYears(1);
            Response.Cookies["LanguageCookie"].HttpOnly = true;
        }
        else {
            //Else keep language as English if localization is not enabled.
            this.UICulture = "en";
            this.Culture = "en";
        }

        base.InitializeCulture();
    }

The report points to the line containing following code:Response.Cookies.Set(languageCookie); What fix can be used to eliminate that error?

Thank's

Answer 1

The easiest way to remove this issue is to use ESAPI httputilities present in esapi jar. You can use

ESAPI.httpUtilities().setHeader(response,param,value);
ESAPI.httpUtilities().addCookies(response, param,value);

and similar methods for other tasks. You will need to have ESAPI.properrties set in you classpath. This is the way we implemented for Java. Same features are available for other languages too.

No additional work is required and it will solve the issue in veracode.