You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2008/08/19 17:15:42 UTC

DO NOT REPLY [Bug 45652] New: XSS patch for EL

https://issues.apache.org/bugzilla/show_bug.cgi?id=45652

           Summary: XSS patch for EL
           Product: Tomcat 6
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: PatchAvailable
          Severity: major
          Priority: P2
         Component: Jasper
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: werkins@gmail.com


Created an attachment (id=22455)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=22455)
Test JSP

Hi everyone,

There is an old post from Matt Raible regarding an XSS vulnerability present in
all tomcat installations by default:
http://raibledesigns.com/rd/entry/java_web_frameworks_and_xss

The JSP I have attached shows a quick-and-dirty test to inject arbitrary HTML
into your page using EL expressions like ${foobar}. I know that "<c:out>" can
be used as a workaround, but it is quite verbose and easy to miss.

As part of my job as a developer of Loom
(http://www.loom.extrema-sistemas.com/) I have prepared a patch for
Generator.java so XML content obtained from EL expressions can be configured to
be escaped defaulting to false (to keep current behavior, but maybe true would
be the safe bet here).

Regards
Rafa


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 45652] XSS patch for EL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45652





--- Comment #4 from Mark Thomas <ma...@apache.org>  2008-08-22 06:03:18 PST ---
Thanks for this. There are some other EL issues I want to get fixed first and
then I'll look at integrating this patch. I'll change the default though to the
current, spec compliant, behaviour.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 45652] XSS patch for EL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45652


Rafael Serrano <we...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #22456|0                           |1
        is obsolete|                            |




--- Comment #3 from Rafael Serrano <we...@gmail.com>  2008-08-22 05:50:40 PST ---
Created an attachment (id=22472)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=22472)
Reworked patch

Hi Mark,

I think you are right about the way this should be configured, so here is the
new patch. The JspServlet parameter to en/disable XML escaping is named
escapeXml.

BTW, I have changed the current behavior, so ${foo} escapes XML by default.

Regards
Rafa


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 45652] XSS patch for EL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45652


Matt Raible <mr...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mraible@apache.org




--- Comment #6 from Matt Raible <mr...@apache.org>  2008-08-25 23:27:16 PST ---
This seems similar to the enhancement request I added last September:

https://issues.apache.org/bugzilla/show_bug.cgi?id=43497


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 45652] XSS patch for EL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45652


Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |DUPLICATE




--- Comment #7 from Mark Thomas <ma...@apache.org>  2008-08-31 10:34:16 PST ---


*** This bug has been marked as a duplicate of bug 43497 ***


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 45652] XSS patch for EL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45652





--- Comment #5 from Remy Maucherat <re...@apache.org>  2008-08-22 07:43:09 PST ---
The default value should probably be (! strict_spec_complaince), and the name
of the parameter should be fixed so that it refers to EL. escapeElOutput ?


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 45652] XSS patch for EL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45652





--- Comment #1 from Rafael Serrano <we...@gmail.com>  2008-08-19 08:19:06 PST ---
Created an attachment (id=22456)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=22456)
Patch

Here is the patch for the trunk.

To start escaping XML content just add "-Dgenerator.escapeXml=true" to your VM
arguments.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 45652] XSS patch for EL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=45652





--- Comment #2 from Mark Thomas <ma...@apache.org>  2008-08-20 16:41:04 PST ---
I don't see a need for this to be a system property. It should be another
parameter on the JSP Servlet like trimSpaces. Could you re-work the patch?


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org