You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@beehive.apache.org by ri...@apache.org on 2005/12/08 07:27:49 UTC
svn commit: r355003 - in /beehive/trunk/netui:
src/pageflow/org/apache/beehive/netui/pageflow/
src/pageflow/org/apache/beehive/netui/pageflow/internal/
test/webapps/drt/testRecorder/tests/
Author: rich
Date: Wed Dec 7 22:27:14 2005
New Revision: 355003
URL: http://svn.apache.org/viewcvs?rev=355003&view=rev
Log:
Fix for http://issues.apache.org/jira/browse/BEEHIVE-952 : Potential cross-site-scripting vulnerability when not in production mode
(This is now covered by an existing test -- PfPageFlow.)
tests: bvt in netui (WinXP)
BB: same (linux)
Modified:
beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/FacesBackingBean.java
beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowController.java
beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowManagedObject.java
beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/SharedFlowController.java
beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/InternalUtils.java
beehive/trunk/netui/test/webapps/drt/testRecorder/tests/PfPageFlow.xml
Modified: beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/FacesBackingBean.java
URL: http://svn.apache.org/viewcvs/beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/FacesBackingBean.java?rev=355003&r1=355002&r2=355003&view=diff
==============================================================================
--- beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/FacesBackingBean.java (original)
+++ beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/FacesBackingBean.java Wed Dec 7 22:27:14 2005
@@ -75,7 +75,7 @@
/**
* Remove this instance from the session.
*/
- protected void removeFromSession( HttpServletRequest request )
+ public void removeFromSession( HttpServletRequest request )
{
StorageHandler sh = Handlers.get( getServletContext() ).getStorageHandler();
HttpServletRequest unwrappedRequest = PageFlowUtils.unwrapMultipart( request );
Modified: beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowController.java
URL: http://svn.apache.org/viewcvs/beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowController.java?rev=355003&r1=355002&r2=355003&view=diff
==============================================================================
--- beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowController.java (original)
+++ beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowController.java Wed Dec 7 22:27:14 2005
@@ -184,7 +184,7 @@
/**
* Remove this instance from the session. When inside a page flow action, {@link #remove} may be called instead.
*/
- protected synchronized void removeFromSession( HttpServletRequest request )
+ public synchronized void removeFromSession( HttpServletRequest request )
{
// This request attribute is used in persistInSession to prevent re-saving of this instance.
request.setAttribute( REMOVING_PAGEFLOW_ATTR, this );
Modified: beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowManagedObject.java
URL: http://svn.apache.org/viewcvs/beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowManagedObject.java?rev=355003&r1=355002&r2=355003&view=diff
==============================================================================
--- beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowManagedObject.java (original)
+++ beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowManagedObject.java Wed Dec 7 22:27:14 2005
@@ -148,7 +148,7 @@
/**
* Remove this instance from the session.
*/
- protected abstract void removeFromSession( HttpServletRequest request );
+ public abstract void removeFromSession( HttpServletRequest request );
/**
* Store this object in the user session, in the appropriate place. Used by the framework; normally should not be
Modified: beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/SharedFlowController.java
URL: http://svn.apache.org/viewcvs/beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/SharedFlowController.java?rev=355003&r1=355002&r2=355003&view=diff
==============================================================================
--- beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/SharedFlowController.java (original)
+++ beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/SharedFlowController.java Wed Dec 7 22:27:14 2005
@@ -218,7 +218,7 @@
/**
* Remove this instance from the session. When inside a shared flow action, {@link #remove} may be called instead.
*/
- protected synchronized void removeFromSession( HttpServletRequest request )
+ public synchronized void removeFromSession( HttpServletRequest request )
{
PageFlowUtils.removeSharedFlow( getClass().getName(), request );
}
Modified: beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/InternalUtils.java
URL: http://svn.apache.org/viewcvs/beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/InternalUtils.java?rev=355003&r1=355002&r2=355003&view=diff
==============================================================================
--- beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/InternalUtils.java (original)
+++ beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/InternalUtils.java Wed Dec 7 22:27:14 2005
@@ -53,6 +53,8 @@
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
+import java.io.Writer;
+import java.io.PrintWriter;
import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.Iterator;
@@ -151,10 +153,44 @@
throw new ResponseOutputException( baseMessage, cause );
}
+ // Filter the message args to prevent cross-site scripting (XSS) attacks (e.g., if one of the args is something
+ // that ultimately came from the user request, and it contains something like <script>[some sscript]</script>.
+ for (int i = 0; i < messageArgs.length; i++) {
+ Object messageArg = messageArgs[i];
+ messageArgs[i] = messageArg != null ? filterValue(messageArg.toString()) : null;
+ }
+
String html = Bundle.getString( messageKey + "_Page", messageArgs );
response.setContentType( "text/html;charset=UTF-8" );
- response.getWriter().println( html );
+ response.getWriter().println(html);
ServletUtils.preventCache( response );
+ }
+
+ /**
+ * Filter output to prevent cross-site scripting (XSS) attacks.
+ */
+ private static String filterValue(String value)
+ throws IOException {
+ InternalStringBuilder result = new InternalStringBuilder(value.length());
+
+ for (int i = 0; i < value.length(); ++i) {
+ char c = value.charAt(i);
+ switch (c) {
+ case '<':
+ result.append("<");
+ break;
+ case '>':
+ result.append(">");
+ break;
+ case '&':
+ result.append("&");
+ break;
+ default:
+ result.append(c);
+ }
+ }
+
+ return result.toString();
}
/**
Modified: beehive/trunk/netui/test/webapps/drt/testRecorder/tests/PfPageFlow.xml
URL: http://svn.apache.org/viewcvs/beehive/trunk/netui/test/webapps/drt/testRecorder/tests/PfPageFlow.xml?rev=355003&r1=355002&r2=355003&view=diff
==============================================================================
--- beehive/trunk/netui/test/webapps/drt/testRecorder/tests/PfPageFlow.xml (original)
+++ beehive/trunk/netui/test/webapps/drt/testRecorder/tests/PfPageFlow.xml Wed Dec 7 22:27:14 2005
@@ -222,7 +222,7 @@
<response>
<statusCode>200</statusCode>
<reason></reason>
- <responseBody><![CDATA[<html><title>PageFlow Error</title><body>PageFlow <b>/pageFlowCore/pfPageFlow/Controller.jpf</b>: Error raised from the Page Flow Test<br /><a href='Controller.jpf'>Return</a></body></html>]]></responseBody>
+ <responseBody><![CDATA[<html><title>PageFlow Error</title><body>PageFlow <b>/pageFlowCore/pfPageFlow/Controller.jpf</b>: Error raised from the Page Flow Test<br /><a href='Controller.jpf'>Return</a></body></html>]]></responseBody>
</response>
</test>