You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by rw...@apache.org on 2010/06/21 11:50:40 UTC
svn commit: r956522 -
/geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSHandler.java
Author: rwonly
Date: Mon Jun 21 09:50:40 2010
New Revision: 956522
URL: http://svn.apache.org/viewvc?rev=956522&view=rev
Log:
GERONIMO-5384 Geronimo console doesn't seem to handle % in sql statements right.
Modified:
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSHandler.java
Modified: geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSHandler.java?rev=956522&r1=956521&r2=956522&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSHandler.java (original)
+++ geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSHandler.java Mon Jun 21 09:50:40 2010
@@ -77,7 +77,7 @@ public class XSSHandler {
// these parameter value(s) which can allow < and " usage
String[] vals = hreq.getParameterValues(name);
for (String value : vals) {
- if (isInvalidParam(value)) {
+ if (isInvalidParamLmt(value)) {
// should be safe to log the uri, as we've already run isInvalidURI() on it
log.warn("Blocking request due to known XSS content in parameter=" + name + " for uri=" + hreq.getRequestURI());
return true;
@@ -87,7 +87,7 @@ public class XSSHandler {
else {
String[] vals = hreq.getParameterValues(name);
for (String value : vals) {
- if (isInvalidString(value)) {
+ if (isInvalidParam(value)) {
// should be safe to log the uri, as we've already run isInvalidURI() on it
log.warn("Blocking request due to potential XSS content in parameter=" + name + " for uri=" + hreq.getRequestURI());
return true;
@@ -119,9 +119,25 @@ public class XSSHandler {
}
return false;
}
+
+ /**
+ * This is a copy of isInvalidString expect the elimination of URLDecoder.
+ * Searches the given string for any < or " instances
+ * @param value
+ * @return true if we find < or " anywhere in the string, otherwise false
+ */
+ private boolean isInvalidParam(String value) {
+ if (value != null) {
+ String s = value.toLowerCase();
+ if ((s.indexOf('<') != -1) || (s.indexOf('"') != -1)) {
+ return true;
+ }
+ }
+ return false;
+ }
/**
- * More limited version of the isInvalidString() method, in which we only
+ * More limited version of the isInvalidParam() method, in which we only
* check for: <script, <img, <iframe, <div and style= tags in the string.
* @param value
* @return true if we find:
@@ -129,32 +145,26 @@ public class XSSHandler {
* 2) style= anywhere in the string
* else false
*/
- private boolean isInvalidParam(String value) {
+ private boolean isInvalidParamLmt(String value) {
if (value != null) {
- try {
- String s = URLDecoder.decode(value, "UTF-8").toLowerCase();
- int offset = s.indexOf('<');
- while (offset != -1) {
- // increment past the "<"
- offset++;
- // if we found a start tag in the param, lets dig deeper...
- if (containsScript(s, offset) || containsImg(s, offset) ||
- containsIframe(s, offset) || containsDiv(s, offset)) {
- // we found a hit
- return true;
- }
- else {
- // look for another set of tags in the string
- offset = s.indexOf('<', offset);
- }
+ String s = value.toLowerCase();
+ int offset = s.indexOf('<');
+ while (offset != -1) {
+ // increment past the "<"
+ offset++;
+ // if we found a start tag in the param, lets dig deeper...
+ if (containsScript(s, offset) || containsImg(s, offset) ||
+ containsIframe(s, offset) || containsDiv(s, offset)) {
+ // we found a hit
+ return true;
+ }
+ else {
+ // look for another set of tags in the string
+ offset = s.indexOf('<', offset);
}
- // also need to check for style= usage
- return(containsStyle(s));
- }
- catch (UnsupportedEncodingException uee) {
- // should never happen
- log.error("URLDecoder.decode(UTF8) failed.", uee);
}
+ // also need to check for style= usage
+ return(containsStyle(s));
}
return false;
}