Author: pbenedict Date: Thu Jun 19 18:52:54 2014 New Revision: 1603997 URL: http://svn.apache.org/r1603997 Log: CVE-2008-2025 Modified: struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/FormTag.java struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/HtmlTag.java struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionTag.java struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsTag.java struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/RewriteTag.java struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/ResponseUtils.java struts/struts1/trunk/faces/src/main/java/org/apache/struts/faces/taglib/JavascriptValidatorTag.java Modified: struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java URL: http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff ============================================================================== --- struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java (original) +++ struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java Thu Jun 19 18:52:54 2014 @@ -35,6 +35,7 @@ import org.apache.struts.taglib.TagUtils import org.apache.struts.taglib.logic.IterateTag; import org.apache.struts.util.MessageResources; import org.apache.struts.util.RequestUtils; +import org.apache.struts.util.ResponseUtils; /** * Base class for tags that render form elements capable of including JavaScript @@ -898,10 +899,13 @@ public abstract class BaseHandlerTag ext */ protected void prepareAttribute(StringBuffer handlers, String name, Object value) { if (value != null) { + if (name.indexOf('"') >= 0) { + throw new IllegalArgumentException("quote character in attribute name"); + } handlers.append(" "); handlers.append(name); handlers.append("=\""); - handlers.append(value); + handlers.append(ResponseUtils.filterIfQuote(value.toString())); handlers.append("\""); } } Modified: struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/FormTag.java URL: http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/FormTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff ============================================================================== --- struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/FormTag.java (original) +++ struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/FormTag.java Thu Jun 19 18:52:54 2014 @@ -37,6 +37,7 @@ import org.apache.struts.config.ModuleCo import org.apache.struts.taglib.TagUtils; import org.apache.struts.util.MessageResources; import org.apache.struts.util.RequestUtils; +import org.apache.struts.util.ResponseUtils; /** * Custom tag that represents an input form, associated with a bean whose @@ -546,12 +547,11 @@ public class FormTag extends TagSupport (HttpServletResponse) this.pageContext.getResponse(); results.append(" action=\""); - results.append( + results.append(ResponseUtils.filterIfQuote( response.encodeURL( TagUtils.getInstance().getActionMappingURL( this.action, - this.pageContext))); - + this.pageContext)))); results.append("\""); } @@ -580,7 +580,7 @@ public class FormTag extends TagSupport results.append("
"); } else { @@ -598,10 +598,13 @@ public class FormTag extends TagSupport */ protected void renderAttribute(StringBuffer results, String attribute, String value) { if (value != null) { + if (attribute.indexOf('"') >= 0) { + throw new IllegalArgumentException("quote character in attribute name"); + } results.append(" "); results.append(attribute); results.append("=\""); - results.append(value); + results.append(ResponseUtils.filterIfQuote(value)); results.append("\""); } } Modified: struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/HtmlTag.java URL: http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/HtmlTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff ============================================================================== --- struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/HtmlTag.java (original) +++ struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/HtmlTag.java Thu Jun 19 18:52:54 2014 @@ -29,6 +29,7 @@ import javax.servlet.jsp.tagext.TagSuppo import org.apache.struts.Globals; import org.apache.struts.taglib.TagUtils; import org.apache.struts.util.MessageResources; +import org.apache.struts.util.ResponseUtils; /** * Renders an HTML element with appropriate language attributes if @@ -151,20 +152,20 @@ public class HtmlTag extends TagSupport if ((this.lang || this.locale || this.xhtml) && validLanguage) { sb.append(" lang=\""); - sb.append(language); + sb.append(ResponseUtils.filterIfQuote(language)); if (validCountry) { sb.append("-"); - sb.append(country); + sb.append(ResponseUtils.filterIfQuote(country)); } sb.append("\""); } if (this.xhtml && validLanguage) { sb.append(" xml:lang=\""); - sb.append(language); + sb.append(ResponseUtils.filterIfQuote(language)); if (validCountry) { sb.append("-"); - sb.append(country); + sb.append(ResponseUtils.filterIfQuote(country)); } sb.append("\""); } Modified: struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java URL: http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff ============================================================================== --- struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java (original) +++ struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java Thu Jun 19 18:52:54 2014 @@ -46,6 +46,7 @@ import org.apache.struts.action.ActionMa import org.apache.struts.config.ModuleConfig; import org.apache.struts.taglib.TagUtils; import org.apache.struts.util.MessageResources; +import org.apache.struts.util.ResponseUtils; import org.apache.struts.validator.Resources; import org.apache.struts.validator.ValidatorPlugIn; @@ -850,7 +851,7 @@ public class JavascriptValidatorTag exte } if (this.src != null) { - start.append(" src=\"" + src + "\""); + start.append(" src=\"" + ResponseUtils.filterIfQuote(src) + "\""); } start.append("> \n"); Modified: struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionTag.java URL: http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff ============================================================================== --- struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionTag.java (original) +++ struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionTag.java Thu Jun 19 18:52:54 2014 @@ -26,6 +26,7 @@ import javax.servlet.jsp.tagext.BodyTagS import org.apache.struts.Globals; import org.apache.struts.taglib.TagUtils; import org.apache.struts.util.MessageResources; +import org.apache.struts.util.ResponseUtils; /** * Tag for select options. The body of this tag is presented to the user @@ -235,7 +236,7 @@ public class OptionTag extends BodyTagSu protected String renderOptionElement() throws JspException { StringBuffer results = new StringBuffer("\r\n"); Modified: struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsTag.java URL: http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff ============================================================================== --- struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsTag.java (original) +++ struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsTag.java Thu Jun 19 18:52:54 2014 @@ -32,6 +32,7 @@ import org.apache.commons.beanutils.Prop import org.apache.struts.util.IteratorAdapter; import org.apache.struts.taglib.TagUtils; import org.apache.struts.util.MessageResources; +import org.apache.struts.util.ResponseUtils; /** * Tag for creating multiple <select> options from a collection. The @@ -313,7 +314,7 @@ public class OptionsTag extends TagSuppo if (filter) { sb.append(TagUtils.getInstance().filter(value)); } else { - sb.append(value); + sb.append(ResponseUtils.filterIfQuote(value)); } sb.append("\""); if (matched) { @@ -321,12 +322,12 @@ public class OptionsTag extends TagSuppo } if (style != null) { sb.append(" style=\""); - sb.append(style); + sb.append(ResponseUtils.filterIfQuote(style)); sb.append("\""); } if (styleClass != null) { sb.append(" class=\""); - sb.append(styleClass); + sb.append(ResponseUtils.filterIfQuote(styleClass)); sb.append("\""); } @@ -335,7 +336,7 @@ public class OptionsTag extends TagSuppo if (filter) { sb.append(TagUtils.getInstance().filter(label)); } else { - sb.append(label); + sb.append(ResponseUtils.filterIfQuote(label)); } sb.append("\r\n"); Modified: struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/RewriteTag.java URL: http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/RewriteTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff ============================================================================== --- struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/RewriteTag.java (original) +++ struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/RewriteTag.java Thu Jun 19 18:52:54 2014 @@ -23,6 +23,7 @@ import java.util.Map; import javax.servlet.jsp.JspException; +import org.apache.struts.util.ResponseUtils; import org.apache.struts.taglib.TagUtils; /** @@ -72,7 +73,8 @@ public class RewriteTag extends LinkTag (messages.getMessage("rewrite.url", e.toString())); } - TagUtils.getInstance().write(pageContext, url); + TagUtils.getInstance().write(pageContext, + ResponseUtils.filterIfQuote(url)); return (SKIP_BODY); Modified: struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/ResponseUtils.java URL: http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/ResponseUtils.java?rev=1603997&r1=1603996&r2=1603997&view=diff ============================================================================== --- struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/ResponseUtils.java (original) +++ struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/ResponseUtils.java Thu Jun 19 18:52:54 2014 @@ -220,5 +220,36 @@ public class ResponseUtils { } - + /** + * Replace double-quote characters in the input string with + * proper HTML encoding. + * + * No other HTML-encoding is performed. As a result, the return value + * can only be safely used in (X)HTML attributes surrounded by + * double-quote characters ("). + * + *

Note that you should not use this function in new code. + * It is only intended for old code which needs to be + * backwards-compatible with incompletely-quoted attributes. + * + * @return a fresh string object if quoting is needed, + * otherwise the input string + */ + public static String filterIfQuote(String value) { + if (value == null) + return null; + if (value.indexOf('"') >= 0) { + StringBuffer sb = new StringBuffer(value.length() + 2); + for (int i = 0; i < value.length(); ++i) { + final char ch = value.charAt(i); + if (ch == '"') + sb.append("""); + else + sb.append(ch); + } + return sb.toString(); + } + return value; + } + } Modified: struts/struts1/trunk/faces/src/main/java/org/apache/struts/faces/taglib/JavascriptValidatorTag.java URL: http://svn.apache.org/viewvc/struts/struts1/trunk/faces/src/main/java/org/apache/struts/faces/taglib/JavascriptValidatorTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff ============================================================================== --- struts/struts1/trunk/faces/src/main/java/org/apache/struts/faces/taglib/JavascriptValidatorTag.java (original) +++ struts/struts1/trunk/faces/src/main/java/org/apache/struts/faces/taglib/JavascriptValidatorTag.java Thu Jun 19 18:52:54 2014 @@ -53,6 +53,7 @@ import org.apache.struts.faces.component import org.apache.struts.taglib.TagUtils; import org.apache.struts.util.MessageResources; import org.apache.struts.util.ModuleUtils; +import org.apache.struts.util.ResponseUtils; import org.apache.struts.validator.Resources; import org.apache.struts.validator.ValidatorPlugIn; @@ -711,7 +712,7 @@ public class JavascriptValidatorTag exte } if (this.src != null) { - start.append(" src=\"" + src + "\""); + start.append(" src=\"" + ResponseUtils.filterIfQuote(src) + "\""); } start.append("> \n");