tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r671351 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/jasper/security/SecurityUtil.java java/org/apache/jasper/servlet/JspServlet.java webapps/docs/changelog.xml
Date Tue, 24 Jun 2008 21:27:38 GMT
Author: markt
Date: Tue Jun 24 14:27:37 2008
New Revision: 671351

URL: http://svn.apache.org/viewvc?rev=671351&view=rev
Log:
Provide belt and braces XSS protection. Really an app responsibility but worth protecting
against in case the app forgets.

Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java
    tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=671351&r1=671350&r2=671351&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Tue Jun 24 14:27:37 2008
@@ -41,12 +41,6 @@
   +1: markt, remm
   -1: 
 
-* Provide belt and braces XSS protection. Really an app responsbility but worth
-  protecting against in case the app forgets.
-  http://svn.apache.org/viewvc?rev=664483&view=rev
-  +1: markt, fhanik, remm
-  -1: 
-
 * Make fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=43285 optional
   Coercion of null and "" to zero can now be disabled if required
   Patch by Nils Eckert

Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java?rev=671351&r1=671350&r2=671351&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java Tue Jun 24 14:27:37
2008
@@ -40,5 +40,42 @@
         return false;
     }
     
-    
+
+    /**
+     * Filter the specified message string for characters that are sensitive
+     * in HTML.  This avoids potential attacks caused by including JavaScript
+     * codes in the request URL that is often reported in error messages.
+     *
+     * @param message The message string to be filtered
+     */
+    public static String filter(String message) {
+
+        if (message == null)
+            return (null);
+
+        char content[] = new char[message.length()];
+        message.getChars(0, message.length(), content, 0);
+        StringBuffer result = new StringBuffer(content.length + 50);
+        for (int i = 0; i < content.length; i++) {
+            switch (content[i]) {
+            case '<':
+                result.append("&lt;");
+                break;
+            case '>':
+                result.append("&gt;");
+                break;
+            case '&':
+                result.append("&amp;");
+                break;
+            case '"':
+                result.append("&quot;");
+                break;
+            default:
+                result.append(content[i]);
+            }
+        }
+        return (result.toString());
+
+    }
+
 }

Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java?rev=671351&r1=671350&r2=671351&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java Tue Jun 24 14:27:37
2008
@@ -35,6 +35,7 @@
 import org.apache.jasper.Options;
 import org.apache.jasper.compiler.JspRuntimeContext;
 import org.apache.jasper.compiler.Localizer;
+import org.apache.jasper.security.SecurityUtil;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 
@@ -311,8 +312,12 @@
                         if (includeRequestUri != null) {
                             // This file was included. Throw an exception as
                             // a response.sendError() will be ignored
-                            throw new ServletException(Localizer.getMessage(
-                                    "jsp.error.file.not.found",jspUri));
+                            String msg = Localizer.getMessage(
+                                    "jsp.error.file.not.found",jspUri);
+                            // Strictly, filtering this is an application
+                            // responsibility but just in case...
+                            throw new ServletException(
+                                    SecurityUtil.filter(msg));
                         } else {
                             try {
                                 response.sendError(

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=671351&r1=671350&r2=671351&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Tue Jun 24 14:27:37 2008
@@ -303,6 +303,12 @@
         <bug>44994</bug>: Enable nested conditional expressions in JSP EL. Patch
         provided by James Manger. (markt)
       </fix>
+      <add>
+        Add HTML filtering of error messages for included resources in case the
+        app has tried to include an unsafe URL that does not exist. This is
+        really an app responsibility but the filtering has been added for XSS
+        safety. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Webapps">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message