Author: dejanb Date: Tue Feb 23 10:21:13 2010 New Revision: 915269 URL: http://svn.apache.org/viewvc?rev=915269&view=rev Log: https://issues.apache.org/activemq/browse/AMQ-2613 - fix XSS security problem in web console Modified: activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/tags/form/short.tag activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/tags/form/text.tag activemq/trunk/activemq-web-console/src/main/webapp/browse.jsp activemq/trunk/activemq-web-console/src/main/webapp/message.jsp activemq/trunk/activemq-web-console/src/main/webapp/queueConsumers.jsp activemq/trunk/activemq-web-console/src/main/webapp/queues.jsp activemq/trunk/activemq-web-console/src/main/webapp/send.jsp activemq/trunk/activemq-web-console/src/main/webapp/topics.jsp activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/BrokerFacadeSupport.java Modified: activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/tags/form/short.tag URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/tags/form/short.tag?rev=915269&r1=915268&r2=915269&view=diff ============================================================================== --- activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/tags/form/short.tag (original) +++ activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/tags/form/short.tag Tue Feb 23 10:21:13 2010 @@ -17,6 +17,8 @@ <%@ attribute name="text" type="java.lang.String" required="true" %> <%@ attribute name="length" type="java.lang.Integer" required="false" %> <% + text = org.apache.commons.lang.StringEscapeUtils.escapeHtml(text); + text = org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(text); if (length == null) length = 20; if (text.length() <= 20) { Modified: activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/tags/form/text.tag URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/tags/form/text.tag?rev=915269&r1=915268&r2=915269&view=diff ============================================================================== --- activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/tags/form/text.tag (original) +++ activemq/trunk/activemq-web-console/src/main/webapp/WEB-INF/tags/form/text.tag Tue Feb 23 10:21:13 2010 @@ -19,10 +19,12 @@ <% String value = request.getParameter(name); if (value == null || value.trim().length() == 0) { - value = defaultValue; - } - if (value == null) { - value = ""; - } + value = defaultValue; + } + if (value == null) { + value = ""; + } + value = org.apache.commons.lang.StringEscapeUtils.escapeHtml(value); + %> Modified: activemq/trunk/activemq-web-console/src/main/webapp/browse.jsp URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/browse.jsp?rev=915269&r1=915268&r2=915269&view=diff ============================================================================== --- activemq/trunk/activemq-web-console/src/main/webapp/browse.jsp (original) +++ activemq/trunk/activemq-web-console/src/main/webapp/browse.jsp Tue Feb 23 10:21:13 2010 @@ -39,7 +39,7 @@ -" title="${row.properties}">${row.JMSMessageID} ${row.JMSCorrelationID} @@ -49,7 +49,7 @@ ${row.JMSType} - Delete + &messageId=${row.JMSMessageID}">Delete @@ -57,7 +57,7 @@
-View Consumers +">View Consumers
Modified: activemq/trunk/activemq-web-console/src/main/webapp/message.jsp URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/message.jsp?rev=915269&r1=915268&r2=915269&view=diff ============================================================================== --- activemq/trunk/activemq-web-console/src/main/webapp/message.jsp (original) +++ activemq/trunk/activemq-web-console/src/main/webapp/message.jsp Tue Feb 23 10:21:13 2010 @@ -130,16 +130,16 @@ - Delete + &messageId=${row.JMSMessageID}">Delete - Copy + &messageId=${row.JMSMessageID}&JMSDestinationType=queue')">Copy @@ -147,7 +147,7 @@ - Move + &messageId=${row.JMSMessageID}&JMSDestinationType=queue')">Move Modified: activemq/trunk/activemq-web-console/src/main/webapp/queueConsumers.jsp URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/queueConsumers.jsp?rev=915269&r1=915268&r2=915269&view=diff ============================================================================== --- activemq/trunk/activemq-web-console/src/main/webapp/queueConsumers.jsp (original) +++ activemq/trunk/activemq-web-console/src/main/webapp/queueConsumers.jsp Tue Feb 23 10:21:13 2010 @@ -16,11 +16,11 @@ --%> -Consumers for ${requestContext.queueConsumerQuery.JMSDestination} +Consumers for <c:out value="${requestContext.queueConsumerQuery.JMSDestination}" /> -

Active Consumers for ${requestContext.queueConsumerQuery.JMSDestination}

+

Active Consumers for

Modified: activemq/trunk/activemq-web-console/src/main/webapp/queues.jsp URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/queues.jsp?rev=915269&r1=915268&r2=915269&view=diff ============================================================================== --- activemq/trunk/activemq-web-console/src/main/webapp/queues.jsp (original) +++ activemq/trunk/activemq-web-console/src/main/webapp/queues.jsp Tue Feb 23 10:21:13 2010 @@ -48,22 +48,23 @@ + - + Modified: activemq/trunk/activemq-web-console/src/main/webapp/send.jsp URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/send.jsp?rev=915269&r1=915268&r2=915269&view=diff ============================================================================== --- activemq/trunk/activemq-web-console/src/main/webapp/send.jsp (original) +++ activemq/trunk/activemq-web-console/src/main/webapp/send.jsp Tue Feb 23 10:21:13 2010 @@ -37,7 +37,7 @@ - + Modified: activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/BrokerFacadeSupport.java URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/BrokerFacadeSupport.java?rev=915269&r1=915268&r2=915269&view=diff ============================================================================== --- activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/BrokerFacadeSupport.java (original) +++ activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/BrokerFacadeSupport.java Tue Feb 23 10:21:13 2010 @@ -172,6 +172,7 @@ @SuppressWarnings("unchecked") public Collection getQueueConsumers(String queueName) throws Exception { String brokerName = getBrokerName(); + queueName = StringUtils.replace(queueName, "\"", "_"); ObjectName query = new ObjectName("org.apache.activemq:BrokerName=" + brokerName + ",Type=Subscription,destinationType=Queue,destinationName=" + queueName + ",*"); Set queryResult = getManagementContext().queryNames(query, null);
"> ${row.queueSize} ${row.consumerCount} ${row.enqueueCount} ${row.dequeueCount} - Browse - Active Consumers
- - + ">Browse + ">Active Consumers
+ ?view=rss&feedType=atom_1.0" title="Atom 1.0"> + ?view=rss&feedType=rss_2.0" title="RSS 2.0">
- Send To - Purge - Delete + &JMSDestinationType=queue">Send To + &JMSDestinationType=queue">Purge + &JMSDestinationType=queue">Delete
- + Modified: activemq/trunk/activemq-web-console/src/main/webapp/topics.jsp URL: http://svn.apache.org/viewvc/activemq/trunk/activemq-web-console/src/main/webapp/topics.jsp?rev=915269&r1=915268&r2=915269&view=diff ============================================================================== --- activemq/trunk/activemq-web-console/src/main/webapp/topics.jsp (original) +++ activemq/trunk/activemq-web-console/src/main/webapp/topics.jsp Tue Feb 23 10:21:13 2010 @@ -46,13 +46,13 @@
&JMSDestinationType=topic"> ${row.consumerCount} ${row.enqueueCount} ${row.dequeueCount} - Send To - Delete + &JMSDestinationType=topic">Send To + &JMSDestinationType=topic">Delete