You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2008/08/19 17:15:42 UTC
DO NOT REPLY [Bug 45652] New: XSS patch for EL
https://issues.apache.org/bugzilla/show_bug.cgi?id=45652
Summary: XSS patch for EL
Product: Tomcat 6
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Keywords: PatchAvailable
Severity: major
Priority: P2
Component: Jasper
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: werkins@gmail.com
Created an attachment (id=22455)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=22455)
Test JSP
Hi everyone,
There is an old post from Matt Raible regarding an XSS vulnerability present in
all tomcat installations by default:
http://raibledesigns.com/rd/entry/java_web_frameworks_and_xss
The JSP I have attached shows a quick-and-dirty test to inject arbitrary HTML
into your page using EL expressions like ${foobar}. I know that "<c:out>" can
be used as a workaround, but it is quite verbose and easy to miss.
As part of my job as a developer of Loom
(http://www.loom.extrema-sistemas.com/) I have prepared a patch for
Generator.java so XML content obtained from EL expressions can be configured to
be escaped defaulting to false (to keep current behavior, but maybe true would
be the safe bet here).
Regards
Rafa
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45652] XSS patch for EL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45652
--- Comment #4 from Mark Thomas <ma...@apache.org> 2008-08-22 06:03:18 PST ---
Thanks for this. There are some other EL issues I want to get fixed first and
then I'll look at integrating this patch. I'll change the default though to the
current, spec compliant, behaviour.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45652] XSS patch for EL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45652
Rafael Serrano <we...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #22456|0 |1
is obsolete| |
--- Comment #3 from Rafael Serrano <we...@gmail.com> 2008-08-22 05:50:40 PST ---
Created an attachment (id=22472)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=22472)
Reworked patch
Hi Mark,
I think you are right about the way this should be configured, so here is the
new patch. The JspServlet parameter to en/disable XML escaping is named
escapeXml.
BTW, I have changed the current behavior, so ${foo} escapes XML by default.
Regards
Rafa
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45652] XSS patch for EL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45652
Matt Raible <mr...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mraible@apache.org
--- Comment #6 from Matt Raible <mr...@apache.org> 2008-08-25 23:27:16 PST ---
This seems similar to the enhancement request I added last September:
https://issues.apache.org/bugzilla/show_bug.cgi?id=43497
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45652] XSS patch for EL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45652
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |DUPLICATE
--- Comment #7 from Mark Thomas <ma...@apache.org> 2008-08-31 10:34:16 PST ---
*** This bug has been marked as a duplicate of bug 43497 ***
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45652] XSS patch for EL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45652
--- Comment #5 from Remy Maucherat <re...@apache.org> 2008-08-22 07:43:09 PST ---
The default value should probably be (! strict_spec_complaince), and the name
of the parameter should be fixed so that it refers to EL. escapeElOutput ?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45652] XSS patch for EL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45652
--- Comment #1 from Rafael Serrano <we...@gmail.com> 2008-08-19 08:19:06 PST ---
Created an attachment (id=22456)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=22456)
Patch
Here is the patch for the trunk.
To start escaping XML content just add "-Dgenerator.escapeXml=true" to your VM
arguments.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45652] XSS patch for EL
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45652
--- Comment #2 from Mark Thomas <ma...@apache.org> 2008-08-20 16:41:04 PST ---
I don't see a need for this to be a system property. It should be another
parameter on the JSP Servlet like trimSpaces. Could you re-work the patch?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org