Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java
===================================================================
RCS file: /usr/local/cvsroot/lams_common/src/java/org/lamsfoundation/lams/integration/security/Attic/SsoHandler.java,v
diff -u -r1.1.2.17 -r1.1.2.18
--- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	6 Jul 2016 08:32:20 -0000	1.1.2.17
+++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java	6 Jul 2016 10:53:10 -0000	1.1.2.18
@@ -98,11 +98,11 @@
 			userDTO = user.getUserDTO();
 		    }
 		}
-		
+
 		// prevent session fixation attack
 		// This will become obsolete on Undertow upgrade to version 1.1.10+
 		request.changeSessionId();
-		
+
 		// store session so UniversalLoginModule can access it
 		SessionManager.startSession(request);
 
@@ -134,6 +134,19 @@
      * ServletFormAuthenticationMechanism method.
      */
     protected static void handleRedirectBack(ServletRequestContext context, String redirectURL) {
+	/*
+	 * Prevent HTTP Response Splitting attack by sanitizing redirectURL.
+	 * The attack was possible by changing action of login form to, for example,
+	 * "j_security_check?redirectURL=%0d%0aAppScanHeader:%20AppScanValue%2f1%2e2%2d3%0d%0aSecondAppScanHeader:%20whatever"
+	 * Putting it in redirectURL form field or using another GET parameter ("something", "j_username") did not work.
+	 * The result was a split HTTP response with AppScanHeader and SecondAppScanHeader set, resultint in a security
+	 * threat.
+	 */
+	if (redirectURL.contains("\n") || redirectURL.contains("\r")) {
+	    throw new SecurityException(
+		    "redirectURL contains forbidden characters: \\n or \\r. Possible HTTP Response Splitting attack.");
+	}
+
 	HttpSessionImpl httpSession = context.getCurrentServletContext().getSession(context.getExchange(), true);
 	if (httpSession != null) {
 	    Session session;