From jac...@gmail.com on April 13, 2014 01:59:55
What steps will reproduce the problem? 1. Write a Servlet that uses DefaultHTTPUtilities.getInstance().setHeader(...) to set headers to the response
2. Attempt to write a header with a name longer than 20 characters, such as "Strict-Transport-Security" or "Access-Control-Allow-Origin" What is the expected output? What do you see instead? These headers are standard and not unsafe, so I expect them to pass validation, but they are blocked by what seems to be an arbitrary (and quite low) character limit of 20 characters. What version of the product are you using? On what operating system? 2.1.0 (loaded using maven as dependency of project) because it appears to be the latest stable version as of 4/13/2014.
I am using Tomcat 7.0.41 on Linux, but in this case I think that's irrelevant. Does this issue affect only a specified browser or set of browsers? No. Please provide any additional information below. How can I modify this character limit without forking / modifying the source code? It appears to be hard-coded. Could this at least be increased to a higher default like 32 or 40?
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=326