Improper Neutralization of CRLF Sequences in HTTP Headers number 2

[s-b-repo]

Unsanitized input from data from a remote resource flows into setHeader and reaches an HTTP header returned to the user. This may allow a malicious input that contain CR/LF to split the http response into two responses and the second response to be controlled by the attacker. This may be used to mount a range of attacks such as cross-site scripting or cache poisoning.

router/java/src/org/cybergarage/upnp/Device.java#L485)

functions causing issues
ssdpRes.setST
ssdpReq.setUSN
ssdpReq.setNT
childDevice.announce
announce
device

########################################################
return null;
Node devNode = rootNode.getNode(Device.ELEM_NAME);
if (devNode == null)
return null;
return new Device(rootNode, devNode);
###################################################
Node devNode = getDeviceNode();
Node aux = null;
//
aux = devNode.getParentNode().getParentNode();
return new Device(aux);
######################################################
if (isRootDevice() == true) {
String devNT = getNotifyDeviceNT();
String devUSN = getNotifyDeviceUSN();
ssdpReq.setNT(devNT);
ssdpReq.setUSN(devUSN);
######################################################
ssdpReq.setUSN(devUSN);
ssdpSock.post(ssdpReq);

		String devUDN = getUDN();
		ssdpReq.setNT(devUDN);

#########################################################
ssdpSock.post(ssdpReq);

		String devUDN = getUDN();
		ssdpReq.setNT(devUDN);
		ssdpReq.setUSN(devUDN);

#############################################################
// uuid:device-UUID::urn:schemas-upnp-org:device:deviceType:v
String devNT = getNotifyDeviceTypeNT();
String devUSN = getNotifyDeviceTypeUSN();
ssdpReq.setNT(devNT);
#############################################################
ServiceList serviceList = getServiceList();
int serviceCnt = serviceList.size();
for (int n = 0; n < serviceCnt; n++) {
Service service = serviceList.getService(n);
service.announce(bindAddr);
#############################################################
DeviceList childDeviceList = getDeviceList();
int childDeviceCnt = childDeviceList.size();
for (int n = 0; n < childDeviceCnt; n++) {
Device childDevice = childDeviceList.getDevice(n);
childDevice.announce(bindAddr);
##############################################################
if (bindAddresses[j] == null || bindAddresses[j].length() == 0)
continue;
int ssdpCount = getSSDPAnnounceCount();
for (int i = 0; i < ssdpCount; i++)
announce(bindAddresses[j]);
##############################################################
// uuid:device-UUID(::upnp:rootdevice)*
if (isRootDevice() == true) {
String devNT = getNotifyDeviceNT();
String devUSN = getNotifyDeviceUSN();
ssdpReq.setNT(devNT);
###############################################################
if (isRootDevice() == true) {
String devNT = getNotifyDeviceNT();
String devUSN = getNotifyDeviceUSN();
ssdpReq.setNT(devNT);
ssdpReq.setUSN(devUSN);
################################################################
// uuid:device-UUID::urn:schemas-upnp-org:device:deviceType:v
String devNT = getNotifyDeviceTypeNT();
String devUSN = getNotifyDeviceTypeUSN();
ssdpReq.setNT(devNT);
#######################################################
// uuid:device-UUID::urn:schemas-upnp-org:device:deviceType:v
String devNT = getNotifyDeviceTypeNT();
String devUSN = getNotifyDeviceTypeUSN();
ssdpReq.setNT(devNT);
ssdpReq.setUSN(devUSN);
###############################################
SSDPSearchResponse ssdpRes = new SSDPSearchResponse();
ssdpRes.setLeaseTime(getLeaseTime());
ssdpRes.setDate(cal);
ssdpRes.setST(st);