我有一个 VB.NET 应用程序,它进行了安全扫描并发现了两个 CRLF 注入漏洞。有人可以帮我修复这个缺陷吗?代码如下
在 .vb 文件后面的代码中
Dim strFileName As String = Path.GetFileName(FName).Replace(" ", "%20") Response.ContentType = "application/octet-stream" ' FLaw identified in this line Response.AddHeader("Content-Disposition", ("attachment; filename=" + strFileName)) ' Response.Clear() Response.WriteFile(FName) Response.End()在 aspx 页面中
<% Response.Clear() Response.ContentType = "application/force-download" Response.AppendHeader("Content-Disposition", "attachment; filename=""" & Request.QueryString("filename") & """") ' flaw identified at this line Response.Buffer = True Response.Flush() Response.WriteFile(Request.QueryString("path")) Response.End() %>