portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Santiago Gala <sg...@apache.org>
Subject Re: svn commit: r513987 - in /portals/jetspeed-2/trunk: components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java src/webapp/WEB-INF/web.xml
Date Sat, 10 Mar 2007 20:54:24 GMT
I'm not sure where the problem was coming from, last time I used
jetspeed I couldn't make sense of the hidden form in the pages, but my
guess is that the solution should not come from filtering negatively
output to this form.

A common norm about html sanitization is that it should be done
positively, i.e., allowing explicitly whatever is needed, and never
negatively, because it is far easier to leave a hole that will be used
for a new attack.

Anybody can explain what is this hidden form, where the attack is
performed, for? what output is expected there?...

Regards
Santiago

El vie, 02-03-2007 a las 22:06 +0000, ate@apache.org escribió:
> Author: ate
> Date: Fri Mar  2 14:06:45 2007
> New Revision: 513987
> 
> URL: http://svn.apache.org/viewvc?view=rev&rev=513987
> Log:
> Simple fix for blocking issue JS2-626: Cross-Site Scripting (XSS) vulnerability.
> The reported vulnerability is now resolved: in case of such an attack, HTTP Status 400
(SC_BAD_REQUEST) will be returned.
> 
> Added:
>     portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
  (with props)
> Modified:
>     portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml
> 
> Added: portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
> URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java?view=auto&rev=513987
> ==============================================================================
> --- portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
(added)
> +++ portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
Fri Mar  2 14:06:45 2007
> @@ -0,0 +1,63 @@
> +/*
> + * Copyright 2007 The Apache Software Foundation.
> + *
> + * Licensed under the Apache License, Version 2.0 (the  "License"); 
> + * you may not use this file except in compliance with the License. 
> + * You may obtain a copy of the License at
> + *
> + * http://www.apache.org/licenses/LICENSE-2.0
> + *
> + * Unless required by applicable law or agreed to in writing, software
> + * distributed under the License is distributed on an "AS IS" 
> + * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
> + * See the License for the specific language governing permissions and 
> + * limitations under the License.
> + */
> +package org.apache.jetspeed.engine.servlet;
> +
> +import java.io.IOException;
> +
> +import javax.servlet.Filter;
> +import javax.servlet.FilterChain;
> +import javax.servlet.FilterConfig;
> +import javax.servlet.ServletException;
> +import javax.servlet.ServletRequest;
> +import javax.servlet.ServletResponse;
> +import javax.servlet.http.HttpServletRequest;
> +import javax.servlet.http.HttpServletResponse;
> +
> +/**
> + * Simple XXS Url attack protection blocking access whenever the request url contains
a &lt; or &gt; character.
> + * @version $Id$
> + * 
> + */
> +public class XXSUrlAttackFilter implements Filter
> +{
> +    public void init(FilterConfig config) throws ServletException
> +    {
> +    }
> +
> +    public void doFilter(ServletRequest request, ServletResponse response, FilterChain
chain) throws IOException,
> +            ServletException
> +    {
> +        if (request instanceof HttpServletRequest)
> +        {
> +            HttpServletRequest hreq = (HttpServletRequest) request;
> +            if (isInvalid(hreq.getQueryString()) || isInvalid(hreq.getRequestURI()))
> +            {
> +                ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST);
> +            }
> +        }
> +        chain.doFilter(request, response);
> +    }
> +
> +    private boolean isInvalid(String value)
> +    {
> +        return (value != null && (value.indexOf('<') != -1 || value.indexOf('>')
!= -1 || value.indexOf("%3e") != -1
> +                || value.indexOf("%3c") != -1 || value.indexOf("%3E") != -1 || value.indexOf("%3E")
!= -1));
> +    }
> +
> +    public void destroy()
> +    {
> +    }
> +}
> 
> Propchange: portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
> ------------------------------------------------------------------------------
>     svn:eol-style = native
> 
> Propchange: portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
> ------------------------------------------------------------------------------
>     svn:keywords = Id
> 
> Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml
> URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml?view=diff&rev=513987&r1=513986&r2=513987
> ==============================================================================
> --- portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml (original)
> +++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml Fri Mar  2 14:06:45 2007
> @@ -32,6 +32,11 @@
>    </context-param>
>        
>    <filter>
> +    <filter-name>XXSUrlAttackFilter</filter-name>
> +    <filter-class>org.apache.jetspeed.engine.servlet.XXSUrlAttackFilter</filter-class>
> +  </filter>
> +  
> +  <filter>
>        <filter-name>staticResourceCachingFilter</filter-name>
>        <filter-class>org.apache.jetspeed.engine.servlet.StaticResourceCachingFilter</filter-class>
>        <init-param>
> @@ -41,9 +46,15 @@
>    </filter>
>  
>    <filter-mapping>
> +    <filter-name>XXSUrlAttackFilter</filter-name>
> +    <url-pattern>/*</url-pattern>
> +  </filter-mapping>    
> +  
> +  <filter-mapping>
>        <filter-name>staticResourceCachingFilter</filter-name>
>        <servlet-name>default</servlet-name>
> -  </filter-mapping>    
> +  </filter-mapping>
> +  
>    <!--
>    <filter>
>      <filter-name>PortalFilter</filter-name>
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message