I am using a static analysis tool that find bugs and reports warning on

Question

0

Asked: June 3, 20262026-06-03T14:58:52+00:00 2026-06-03T14:58:52+00:00

I am using a static analysis tool that find bugs and reports warning on

0

I am using a static analysis tool that find bugs and reports warning on the following code

response.sendRedirect(response.encodeRedirectURL(redirectToXXX));

the warning says:

This code directly writes an HTTP parameter to an HTTP header, which
allows for a HTTP response splitting vulnerability.

But when I do it like this:

redirectToXXX= java.net.URLEncoder.encode(redirectToXXX.toString(),"ISO-8859-1");
response.sendRedirect(response.encodeRedirectURL(redirectToXXX));

the warning disappears.

What I don’t understand is that encodeRedirectURL is supposed to encode the url if necessary, so why does it generates a warning then, and remove the warning when encoded with URLEncoder.encode.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-03T14:58:53+00:00

I believe that in the second case, the warning disappear because URLEncoder.encode remove CR and LF that could be contained in the parameter you are taking from the request.

You might want to read this to understand the background of the HTTP response splitting vulnerability.
I believe also that since the call to URLEncoder.encode returns a new object, FindBugs doesn’t reconduce that variable to the HTTP Request content, so it considers it safe.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am using a static analysis tool that find bugs and reports warning on

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply