tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@apache.org
Subject cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardWrapperValve.java
Date Sat, 17 Mar 2001 20:07:42 GMT
craigmcc    01/03/17 12:07:42

  Modified:    catalina/src/share/org/apache/catalina/core
                        StandardWrapperValve.java
  Log:
  For Tomcat 4.0, fix the security vulnerability reported by Hiromitsu
  Takagi.
  
  The problem actually has nothing to do with JSP pages per se -- it is due
  to the fact that the original request URI is included in the response on
  many of the standard error pages produced by Tomcat.  In the case at hand,
  it is the standard message for error 404 (not found).
  
  You can prove that it is not related to JSP by trying *any* URI that
  includes JavaScript code, and triggers a 404, such as:
  
  http://localhost:8080/examples/<SCRIPT>alert(document.cookie)</SCRIPT>.xyz
  
  The fix is to filter the message string included in the response, so that
  characters sensitive to HTML are rendered as their corresponding escape
  sequences (such as translating "<" to "&lt;") so that the browser will
  render them rather than execute them.
  
  WARNING:  Web application error pages that naively display the request URI
  in their output can be subject to this same kind of problem.
  
  Revision  Changes    Path
  1.22      +43 -5     jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java
  
  Index: StandardWrapperValve.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java,v
  retrieving revision 1.21
  retrieving revision 1.22
  diff -u -r1.21 -r1.22
  --- StandardWrapperValve.java	2001/03/17 00:56:57	1.21
  +++ StandardWrapperValve.java	2001/03/17 20:07:41	1.22
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java,v
1.21 2001/03/17 00:56:57 craigmcc Exp $
  - * $Revision: 1.21 $
  - * $Date: 2001/03/17 00:56:57 $
  + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java,v
1.22 2001/03/17 20:07:41 craigmcc Exp $
  + * $Revision: 1.22 $
  + * $Date: 2001/03/17 20:07:41 $
    *
    * ====================================================================
    *
  @@ -102,7 +102,7 @@
    * <code>StandardWrapper</code> container implementation.
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.21 $ $Date: 2001/03/17 00:56:57 $
  + * @version $Revision: 1.22 $ $Date: 2001/03/17 20:07:41 $
    */
   
   final class StandardWrapperValve
  @@ -622,6 +622,44 @@
   
   
       /**
  +     * Filter the specified message string for characters that are sensitive
  +     * in HTML.  This avoids potential attacks caused by including JavaScript
  +     * codes in the request URL that is often reported in error messages.
  +     *
  +     * @param message The message string to be filtered
  +     */
  +    private String filter(String message) {
  +
  +        if (message == null)
  +            return (null);
  +
  +        char content[] = new char[message.length()];
  +        message.getChars(0, message.length(), content, 0);
  +        StringBuffer result = new StringBuffer(content.length + 50);
  +        for (int i = 0; i < content.length; i++) {
  +            switch (content[i]) {
  +            case '<':
  +                result.append("&lt;");
  +                break;
  +            case '>':
  +                result.append("&gt;");
  +                break;
  +            case '&':
  +                result.append("&amp;");
  +                break;
  +            case '"':
  +                result.append("&quot;");
  +                break;
  +            default:
  +                result.append(content[i]);
  +            }
  +        }
  +        return (result.toString());
  +
  +    }
  +
  +
  +    /**
        * Log a message on the Logger associated with our Container (if any)
        *
        * @param message Message to be logged
  @@ -773,7 +811,7 @@
   	HttpServletResponse hres =
   	    (HttpServletResponse) response.getResponse();
   	int statusCode = hresponse.getStatus();
  -	String message = hresponse.getMessage();
  +	String message = filter(hresponse.getMessage());
   	if (message == null)
   	    message = "";
   
  
  
  

Mime
View raw message