You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/06/16 12:01:57 UTC
svn commit: r1602834 - in /tomcat/tc7.0.x/trunk: ./ test/util/
webapps/docs/changelog.xml
webapps/examples/WEB-INF/classes/RequestHeaderExample.java
webapps/examples/WEB-INF/classes/util/CookieFilter.java
Author: markt
Date: Mon Jun 16 10:01:57 2014
New Revision: 1602834
URL: http://svn.apache.org/r1602834
Log:
Attempt to obfuscate session cookie values associated with other web applications when viewing HTTP request headers with the Request Header example from the examples web application. This reduces the opportunity to use this example for malicious purposes should the advice to remove the examples web application from security sensitive systems be ignored.
Added:
tomcat/tc7.0.x/trunk/test/util/
- copied from r1602831, tomcat/trunk/test/util/
tomcat/tc7.0.x/trunk/webapps/examples/WEB-INF/classes/util/CookieFilter.java
- copied unchanged from r1602831, tomcat/trunk/webapps/examples/WEB-INF/classes/util/CookieFilter.java
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1602831
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1602834&r1=1602833&r2=1602834&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Jun 16 10:01:57 2014
@@ -178,6 +178,14 @@
remove the examples web application from security sensitive systems be
ignored. (markt/kkolinko)
</fix>
+ <fix>
+ Attempt to obfuscate session cookie values associated with other web
+ applications when viewing HTTP request headers with the Request Header
+ example from the examples web application. This reduces the opportunity
+ to use this example for malicious purposes should the advice to remove
+ the examples web application from security sensitive systems be ignored.
+ (markt)
+ </fix>
</changelog>
</subsection>
</section>
Modified: tomcat/tc7.0.x/trunk/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/examples/WEB-INF/classes/RequestHeaderExample.java?rev=1602834&r1=1602833&r2=1602834&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/examples/WEB-INF/classes/RequestHeaderExample.java (original)
+++ tomcat/tc7.0.x/trunk/webapps/examples/WEB-INF/classes/RequestHeaderExample.java Mon Jun 16 10:01:57 2014
@@ -18,13 +18,16 @@
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Enumeration;
+import java.util.Locale;
import java.util.ResourceBundle;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import util.CookieFilter;
import util.HTMLFilter;
/**
@@ -77,7 +80,16 @@ public class RequestHeaderExample extend
out.println("<tr><td bgcolor=\"#CCCCCC\">");
out.println(HTMLFilter.filter(headerName));
out.println("</td><td>");
- out.println(HTMLFilter.filter(headerValue));
+ if (headerName.toLowerCase(Locale.ENGLISH).contains("cookie")) {
+ HttpSession session = request.getSession(false);
+ String sessionId = null;
+ if (session != null) {
+ sessionId = session.getId();
+ }
+ out.println(HTMLFilter.filter(CookieFilter.filter(headerValue, sessionId)));
+ } else {
+ out.println(HTMLFilter.filter(headerValue));
+ }
out.println("</td></tr>");
}
out.println("</table>");
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org