You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/11/22 18:20:10 UTC
svn commit: r1037779 - in /tomcat/tc6.0.x/trunk:
java/org/apache/catalina/manager/JspHelper.java webapps/docs/changelog.xml
webapps/manager/WEB-INF/jsp/sessionDetail.jsp
webapps/manager/WEB-INF/jsp/sessionsList.jsp
Author: markt
Date: Mon Nov 22 17:20:10 2010
New Revision: 1037779
URL: http://svn.apache.org/viewvc?rev=1037779&view=rev
Log:
Fix CVE-2010-4172. Multiple XSS in Manager web application
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/JspHelper.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp
tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/JspHelper.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/JspHelper.java?rev=1037779&r1=1037778&r2=1037779&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/JspHelper.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/JspHelper.java Mon Nov 22 17:20:10 2010
@@ -58,7 +58,7 @@ public class JspHelper {
}
private static String localeToString(Locale locale) {
if (locale != null) {
- return locale.toString();//locale.getDisplayName();
+ return escapeXml(locale.toString());//locale.getDisplayName();
} else {
return "";
}
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1037779&r1=1037778&r2=1037779&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Mon Nov 22 17:20:10 2010
@@ -312,6 +312,9 @@
<bug>50303</bug>: Update JNDI how-to to reflect new JavaMail and JAF
download locations and that JAF is now included in Java SE 6. (markt)
</fix>
+ <fix>
+ CVE-2010-4172: Multiple XSS in Manager application. (markt/kkolinko)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
Modified: tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp?rev=1037779&r1=1037778&r2=1037779&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp (original)
+++ tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp Mon Nov 22 17:20:10 2010
@@ -30,9 +30,10 @@
<% String path = (String) request.getAttribute("path");
Session currentSession = (Session)request.getAttribute("currentSession");
HttpSession currentHttpSession = currentSession.getSession();
- String currentSessionId = currentSession.getId();
- String submitUrl = response.encodeURL(((HttpServletRequest)
- pageContext.getRequest()).getRequestURL().toString());
+ String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+ String submitUrl = JspHelper.escapeXml(response.encodeURL(
+ ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+ "?path=" + path));
%>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
@@ -46,7 +47,7 @@
<title>Sessions Administration: details for <%= currentSessionId %></title>
</head>
<body>
-<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
<table style="text-align: left;" border="0">
<tr>
@@ -89,7 +90,6 @@
<form method="post" action="<%= submitUrl %>">
<div>
- <input type="hidden" name="path" value="<%= path %>" />
<input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
<input type="hidden" name="action" value="sessionDetail" />
<input type="submit" value="Refresh" />
@@ -131,10 +131,9 @@
<td align="center">
<form method="post" action="<%= submitUrl %>">
<div>
- <input type="hidden" name="path" value="<%= path %>" />
<input type="hidden" name="action" value="removeSessionAttribute" />
<input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
- <input type="hidden" name="attributeName" value="<%= attributeName %>" />
+ <input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" />
<input type="submit" value="Remove" />
</div>
</form>
@@ -148,7 +147,6 @@
<form method="post" action="<%=submitUrl%>">
<p style="text-align: center;">
- <input type="hidden" name="path" value="<%= path %>" />
<input type="submit" value="Return to session list" />
</p>
</form>
Modified: tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp?rev=1037779&r1=1037778&r2=1037779&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp (original)
+++ tomcat/tc6.0.x/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp Mon Nov 22 17:20:10 2010
@@ -26,8 +26,9 @@
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<% String path = (String) request.getAttribute("path");
- String submitUrl = response.encodeURL(((HttpServletRequest)
- pageContext.getRequest()).getRequestURI() + "?path=" + path);
+ String submitUrl = JspHelper.escapeXml(response.encodeURL(
+ ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+ "?path=" + path));
Collection activeSessions = (Collection) request.getAttribute("activeSessions");
%>
<head>
@@ -39,10 +40,10 @@
<meta name="author" content="Cedrik LIME"/>
<meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
<meta name="robots" content="noindex,nofollow,noarchive"/>
- <title>Sessions Administration for <%= path %></title>
+ <title>Sessions Administration for <%= JspHelper.escapeXml(path) %></title>
</head>
<body>
-<h1>Sessions Administration for <%= path %></h1>
+<h1>Sessions Administration for <%= JspHelper.escapeXml(path) %></h1>
<p>Tips:</p>
<ul>
@@ -56,13 +57,13 @@
<form action="<%= submitUrl %>" method="post" id="sessionsForm">
<fieldset><legend>Active HttpSessions informations</legend>
<input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
- <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
+ <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
<% String order = (String) request.getAttribute("order");
if (order == null || "".equals(order)) {
order = "ASC";
}
%>
- <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
+ <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
<input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
<%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
<table border="1" cellpadding="2" cellspacing="2" width="100%">
@@ -96,11 +97,11 @@
<% Iterator iter = activeSessions.iterator();
while (iter.hasNext()) {
Session currentSession = (Session) iter.next();
- String currentSessionId = currentSession.getId();
+ String currentSessionId = JspHelper.escapeXml(currentSession.getId());
%>
<tr>
<td>
-<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId %>"><%= JspHelper.escapeXml(currentSessionId) %></a>
+<input type="checkbox" name="sessionIds" value="<%= currentSessionId %>" /><a href="<%= submitUrl %>&action=sessionDetail&sessionId=<%= currentSessionId %>"><%= currentSessionId %></a>
</td>
<td style="text-align: center;"><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td>
<td style="text-align: center;"><%= JspHelper.guessDisplayUserFromSession(currentSession) %></td>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org