0

I have a VB.NET application which had a security scan and two CRLF injection flaws were identified. Can someone please help me to fix the flaw? The code is as below

  1. In a code behind .vb file

    Dim strFileName As String = Path.GetFileName(FName).Replace(" ", "%20")
Response.ContentType = "application/octet-stream" ' FLaw identified in this line
Response.AddHeader("Content-Disposition", ("attachment; filename=" + strFileName)) ' 
Response.Clear()
Response.WriteFile(FName)
Response.End()

  2. In a aspx page

    <%   
    Response.Clear()
    Response.ContentType = "application/force-download"
    Response.AppendHeader("Content-Disposition", "attachment; filename=""" & 
    Request.QueryString("filename") & """")  ' flaw identified at this line           
    Response.Buffer = True
    Response.Flush()
    Response.WriteFile(Request.QueryString("path"))
    Response.End()
%>
Visual Vincent
  • 17,424
  • 5
  • 24
  • 66
ssuhas76
  • 73
  • 10
  • 2
    a) You wouldn't need to replace the strings in 1. if you used quotes around the filename like you do in 2. b) Veracode might be confused. c) The string concatenation operator in VB is `&`, not `+`. d) You should not be using aspx pages for file downloads - a generic handler (.ashx) works better. e) In 2., are you really intending to allow hackers to download any file that your web site has file access to? f) Using Response.End like that will stop some browsers from being able to download the file. – Andrew Morton Apr 06 '18 at 11:56
  • ... and g) [Utility of HTTP header “Content-Type: application/force-download” for mobile?](https://stackoverflow.com/a/10616753/1115360). – Andrew Morton Apr 06 '18 at 11:59
  • Hi Andrew, Many thanks for your reply. The below code should do? Dim strFileName As String = Server.UrlEncode(Path.GetFileName(FName)) Response.ContentType = "application/octet-stream" Response.AddHeader("Content-Disposition", ("attachment; filename=" & strFileName)) Response.Clear() Response.WriteFile(FName) Response.End() – ssuhas76 Apr 08 '18 at 20:11

0 Answers0