Return-Path: 
 <dev-return-86106-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: (qmail 72664 invoked from network); 2 Jan 2008 19:52:15 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 2 Jan 2008 19:52:15 -0000
Received: (qmail 86010 invoked by uid 500); 2 Jan 2008 19:52:01 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 85969 invoked by uid 500); 2 Jan 2008 19:52:01 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 85958 invoked by uid 500); 2 Jan 2008 19:52:01 -0000
Delivered-To: apmail-jakarta-tomcat-dev@jakarta.apache.org
Received: (qmail 85955 invoked by uid 99); 2 Jan 2008 19:52:01 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Jan 2008 11:52:01 -0800
X-ASF-Spam-Status: No, hits=-100.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Jan 2008 19:51:57 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
	id 7B3F41A9832; Wed,  2 Jan 2008 11:51:48 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r608199 - in /tomcat/connectors/trunk/jk:
 native/common/jk_status.c xdocs/miscellaneous/changelog.xml
Date: Wed, 02 Jan 2008 19:51:47 -0000
To: tomcat-dev@jakarta.apache.org
From: rjung@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20080102195148.7B3F41A9832@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: rjung
Date: Wed Jan  2 11:51:44 2008
New Revision: 608199

URL: http://svn.apache.org/viewvc?rev=608199&view=rev
Log:
Improve XSS hardening of status worker.

Modified:
    tomcat/connectors/trunk/jk/native/common/jk_status.c
    tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml

Modified: tomcat/connectors/trunk/jk/native/common/jk_status.c
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_status.c?rev=608199&r1=608198&r2=608199&view=diff
==============================================================================
--- tomcat/connectors/trunk/jk/native/common/jk_status.c (original)
+++ tomcat/connectors/trunk/jk/native/common/jk_status.c Wed Jan  2 11:51:44 2008
@@ -148,7 +148,7 @@
 
 #define JK_STATUS_WAIT_AFTER_UPDATE        "3"
 #define JK_STATUS_REFRESH_DEF              "10"
-#define JK_STATUS_ESC_CHARS                ("<>?&")
+#define JK_STATUS_ESC_CHARS                ("<>?\"")
 
 #define JK_STATUS_HEAD                     "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n" \
                                            "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"" \
@@ -247,6 +247,7 @@
 {
     status_worker_t *worker;
 
+    char            *query_string;
     jk_map_t        *req_params;
     char            *msg;
 
@@ -936,13 +937,6 @@
 
     JK_TRACE_ENTER(l);
 
-    if (!jk_map_alloc(&(p->req_params))) {
-        jk_log(l, JK_LOG_ERROR,
-               "Status worker '%s' could not alloc map for request parameters",
-               w->name);
-        JK_TRACE_EXIT(l);
-        return JK_FALSE;
-    }
     if (!s->query_string) {
         if (JK_IS_DEBUG_LEVEL(l))
             jk_log(l, JK_LOG_DEBUG,
@@ -951,15 +945,39 @@
         JK_TRACE_EXIT(l);
         return JK_TRUE;
     }
+
+    p->query_string = jk_pool_strdup(s->pool, s->query_string);
+    if (!p->query_string) {
+        jk_log(l, JK_LOG_ERROR,
+               "Status worker '%s' could not copy query string",
+               w->name);
+        JK_TRACE_EXIT(l);
+        return JK_FALSE;
+    }
+
+    /* XXX We simply mask special chars n the query string with '@' to prevent cross site scripting */
+    query = p->query_string;
+    while ((query = strpbrk(query, JK_STATUS_ESC_CHARS)))
+        query[0] = '@';
+
+    if (!jk_map_alloc(&(p->req_params))) {
+        jk_log(l, JK_LOG_ERROR,
+               "Status worker '%s' could not alloc map for request parameters",
+               w->name);
+        JK_TRACE_EXIT(l);
+        return JK_FALSE;
+    }
     m = p->req_params;
-    query = jk_pool_strdup(s->pool, s->query_string);
+
+    query = jk_pool_strdup(s->pool, p->query_string);
     if (!query) {
         jk_log(l, JK_LOG_ERROR,
-               "Status worker '%s' could not copy string",
+               "Status worker '%s' could not copy query string",
                w->name);
         JK_TRACE_EXIT(l);
         return JK_FALSE;
     }
+
 #ifdef _REENTRANT
     for (param = strtok_r(query, "&", &lasts);
          param; param = strtok_r(NULL, "&", &lasts)) {
@@ -977,14 +995,9 @@
         }
         value = strchr(key, '=');
         if (value) {
-            char *off;
             *value = '\0';
             value++;
     /* XXX Depending on the params values, we might need to trim and decode */
-    /* XXX For now we simply mask special chars with '@' to prevent cross code injection */
-            off = value;
-            while ((off = strpbrk(off, JK_STATUS_ESC_CHARS)))
-                off[0] = '@';
             if (strlen(key)) {
                 if (JK_IS_DEBUG_LEVEL(l))
                     jk_log(l, JK_LOG_DEBUG,
@@ -3336,7 +3349,7 @@
                     cmd == JK_STATUS_CMD_SHOW) &&
                     refresh > 0) {
                     jk_printf(s, "\n<meta http-equiv=\"Refresh\" content=\"%d;url=%s?%s\">",
-                          refresh, s->req_uri, s->query_string);
+                          refresh, s->req_uri, p->query_string);
                 }
                 if (w->css) {
                     jk_putv(s, "\n<link rel=\"stylesheet\" type=\"text/css\" href=\"",
@@ -3362,7 +3375,7 @@
                 if (cmd == JK_STATUS_CMD_LIST ||
                     cmd == JK_STATUS_CMD_SHOW) {
                     if (refresh > 0) {
-                        const char *str = s->query_string;
+                        const char *str = p->query_string;
                         char *buf = jk_pool_alloc(s->pool, sizeof(char *) * (strlen(str)+1));
                         int result = 0;
                         size_t scan = 0;

Modified: tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml?rev=608199&r1=608198&r2=608199&view=diff
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml Wed Jan  2 11:51:44 2008
@@ -44,6 +44,9 @@
   <subsection name="Native">
     <changelog>
       <update>
+        Status: Improve XSS hardening. (rjung)
+      </update>
+      <update>
         Move initialization of service members with defaults from web server
         specific code to our generic jk_init_ws_service() function. (rjung)
       </update>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org