I have a VB.NET application which had a security scan and two CRLF injection flaws were identified. Can someone please help me to fix the flaw? The code is as below
In a code behind .vb file
Dim strFileName As String = Path.GetFileName(FName).Replace(" ", "%20") Response.ContentType = "application/octet-stream" ' FLaw identified in this line Response.AddHeader("Content-Disposition", ("attachment; filename=" + strFileName)) ' Response.Clear() Response.WriteFile(FName) Response.End()
In a aspx page
<% Response.Clear() Response.ContentType = "application/force-download" Response.AppendHeader("Content-Disposition", "attachment; filename=""" & Request.QueryString("filename") & """") ' flaw identified at this line Response.Buffer = True Response.Flush() Response.WriteFile(Request.QueryString("path")) Response.End() %>