tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@apache.org
Subject cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util RequestUtil.java
Date Sat, 17 Mar 2001 20:52:50 GMT
craigmcc    01/03/17 12:52:50

  Modified:    src/share/org/apache/tomcat/context Tag: tomcat_32
                        DefaultCMSetter.java
               src/share/org/apache/tomcat/util Tag: tomcat_32
                        RequestUtil.java
  Log:
  For Tomcat 3.2, fix the security vulnerability reported by Hiromitsu
  Takagi.  As with Tomcat 4.0, the problem is not related to JSP
  specifically.  It was caused by the fact that the original request URI was
  included in the standard error page produced by Tomcat for errors like 404
  (not found), which was the illustration in this case.
  
  WARNING:  Web apps that echo the request URI in their responses (either in
  a standard response or in an error page) can be subject to this same kind
  of vulnerability.
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.45.2.10 +9 -8      jakarta-tomcat/src/share/org/apache/tomcat/context/Attic/DefaultCMSetter.java
  
  Index: DefaultCMSetter.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/context/Attic/DefaultCMSetter.java,v
  retrieving revision 1.45.2.9
  retrieving revision 1.45.2.10
  diff -u -r1.45.2.9 -r1.45.2.10
  --- DefaultCMSetter.java	2001/03/17 00:26:39	1.45.2.9
  +++ DefaultCMSetter.java	2001/03/17 20:52:49	1.45.2.10
  @@ -173,7 +173,7 @@
   	    .append("</h1>\r\n<b>");
   	buf.append(sm.getString("defaulterrorpage.originalrequest"))
   	    .append("</b> ")
  -	    .append( requestURI );
  +	    .append( RequestUtil.filter(requestURI) );
   
   	if (contextM.getShowDebugInfo()) {
   	    if (res.isIncluded()) {
  @@ -184,7 +184,7 @@
   		buf.append("<br><br>\r\n<b>")
   		    .append(sm.getString("defaulterrorpage.notfoundrequest"))
   		    .append("</b> ")
  -		    .append( requestURI );
  +		    .append( RequestUtil.filter(requestURI) );
   	    }
   	}
   
  @@ -253,14 +253,14 @@
   	buf.append("<h2>")
   	    .append(sm.getString("defaulterrorpage.location"))
   	    .append(" ")
  -	    .append(req.getRequestURI())
  +	    .append(RequestUtil.filter(req.getRequestURI()))
   	    .append("</h2>");
   
   	if ( errorURI != null && contextM.getShowDebugInfo()) {
   	    buf.append("\r\n<h2>")
   		.append(sm.getString("defaulterrorpage.errorlocation"))
   		.append(" ")
  -		.append(errorURI)
  +		.append(RequestUtil.filter(errorURI))
   		.append("</h2>");
   	}
   
  @@ -377,19 +377,19 @@
   	buf.append("<h2>")
   	    .append(sm.getString("defaulterrorpage.location"))
   	    .append(" ")
  -	    .append(req.getRequestURI())
  +	    .append(RequestUtil.filter(req.getRequestURI()))
   	    .append("</h2>");
   
   	if ( sc >= 400 && errorURI != null && contextM.getShowDebugInfo())
{
   	    buf.append("\r\n<h2>")
   		.append(sm.getString("defaulterrorpage.errorlocation"))
   		.append(" ")
  -		.append(errorURI)
  +		.append(RequestUtil.filter(errorURI))
   		.append("</h2>");
   	}
   
   	buf.append("<b>")
  -	    .append(msg)
  +	    .append(RequestUtil.filter(msg))
   	    .append("</b><br>");
   
   	// add unavailable time if present
  @@ -419,6 +419,7 @@
   	    out.print(buf.toString());
   	}
       }
  +
   }
   	
   class RedirectHandler extends ServletWrapper {
  @@ -459,7 +460,7 @@
   	    append("</h1>\r\n").
   	    append(sm.getString("defaulterrorpage.thisdocumenthasmoved")).
   	    append(" <a href=\"").
  -	    append(location).
  +	    append(RequestUtil.filter(location)).
   	    append("\">here</a>.<p>\r\n</body>\r\n");
   
   	String body = buf.toString();
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.14.2.3  +38 -0     jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/RequestUtil.java
  
  Index: RequestUtil.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/RequestUtil.java,v
  retrieving revision 1.14.2.2
  retrieving revision 1.14.2.3
  diff -u -r1.14.2.2 -r1.14.2.3
  --- RequestUtil.java	2001/03/13 18:18:26	1.14.2.2
  +++ RequestUtil.java	2001/03/17 20:52:50	1.14.2.3
  @@ -502,6 +502,44 @@
       }
   
   
  +    /**
  +     * Filter the specified message string for characters that are sensitive
  +     * in HTML.  This avoids potential attacks caused by including JavaScript
  +     * codes in the request URL that is often reported in error messages.
  +     *
  +     * @param message The message string to be filtered
  +     */
  +    public static String filter(String message) {
  +
  +        if (message == null)
  +            return (null);
  +
  +        char content[] = new char[message.length()];
  +        message.getChars(0, message.length(), content, 0);
  +        StringBuffer result = new StringBuffer(content.length + 50);
  +        for (int i = 0; i < content.length; i++) {
  +            switch (content[i]) {
  +            case '<':
  +                result.append("&lt;");
  +                break;
  +            case '>':
  +                result.append("&gt;");
  +                break;
  +            case '&':
  +                result.append("&amp;");
  +                break;
  +            case '"':
  +                result.append("&quot;");
  +                break;
  +            default:
  +                result.append(content[i]);
  +            }
  +        }
  +        return (result.toString());
  +
  +    }
  +
  +
   
       /* -------------------- From HttpDate -------------------- */
       // Parse date - XXX This code is _very_ slow ( 3 parsers, GregorianCalendar,
  
  
  

Mime
View raw message