You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by Santiago Gala <sg...@apache.org> on 2007/03/10 21:54:24 UTC
Re: svn commit: r513987 - in /portals/jetspeed-2/trunk:
components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
src/webapp/WEB-INF/web.xml
I'm not sure where the problem was coming from, last time I used
jetspeed I couldn't make sense of the hidden form in the pages, but my
guess is that the solution should not come from filtering negatively
output to this form.
A common norm about html sanitization is that it should be done
positively, i.e., allowing explicitly whatever is needed, and never
negatively, because it is far easier to leave a hole that will be used
for a new attack.
Anybody can explain what is this hidden form, where the attack is
performed, for? what output is expected there?...
Regards
Santiago
El vie, 02-03-2007 a las 22:06 +0000, ate@apache.org escribió:
> Author: ate
> Date: Fri Mar 2 14:06:45 2007
> New Revision: 513987
>
> URL: http://svn.apache.org/viewvc?view=rev&rev=513987
> Log:
> Simple fix for blocking issue JS2-626: Cross-Site Scripting (XSS) vulnerability.
> The reported vulnerability is now resolved: in case of such an attack, HTTP Status 400 (SC_BAD_REQUEST) will be returned.
>
> Added:
> portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java (with props)
> Modified:
> portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml
>
> Added: portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
> URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java?view=auto&rev=513987
> ==============================================================================
> --- portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java (added)
> +++ portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java Fri Mar 2 14:06:45 2007
> @@ -0,0 +1,63 @@
> +/*
> + * Copyright 2007 The Apache Software Foundation.
> + *
> + * Licensed under the Apache License, Version 2.0 (the "License");
> + * you may not use this file except in compliance with the License.
> + * You may obtain a copy of the License at
> + *
> + * http://www.apache.org/licenses/LICENSE-2.0
> + *
> + * Unless required by applicable law or agreed to in writing, software
> + * distributed under the License is distributed on an "AS IS"
> + * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> + * See the License for the specific language governing permissions and
> + * limitations under the License.
> + */
> +package org.apache.jetspeed.engine.servlet;
> +
> +import java.io.IOException;
> +
> +import javax.servlet.Filter;
> +import javax.servlet.FilterChain;
> +import javax.servlet.FilterConfig;
> +import javax.servlet.ServletException;
> +import javax.servlet.ServletRequest;
> +import javax.servlet.ServletResponse;
> +import javax.servlet.http.HttpServletRequest;
> +import javax.servlet.http.HttpServletResponse;
> +
> +/**
> + * Simple XXS Url attack protection blocking access whenever the request url contains a < or > character.
> + * @version $Id$
> + *
> + */
> +public class XXSUrlAttackFilter implements Filter
> +{
> + public void init(FilterConfig config) throws ServletException
> + {
> + }
> +
> + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
> + ServletException
> + {
> + if (request instanceof HttpServletRequest)
> + {
> + HttpServletRequest hreq = (HttpServletRequest) request;
> + if (isInvalid(hreq.getQueryString()) || isInvalid(hreq.getRequestURI()))
> + {
> + ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST);
> + }
> + }
> + chain.doFilter(request, response);
> + }
> +
> + private boolean isInvalid(String value)
> + {
> + return (value != null && (value.indexOf('<') != -1 || value.indexOf('>') != -1 || value.indexOf("%3e") != -1
> + || value.indexOf("%3c") != -1 || value.indexOf("%3E") != -1 || value.indexOf("%3E") != -1));
> + }
> +
> + public void destroy()
> + {
> + }
> +}
>
> Propchange: portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
> ------------------------------------------------------------------------------
> svn:eol-style = native
>
> Propchange: portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
> ------------------------------------------------------------------------------
> svn:keywords = Id
>
> Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml
> URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml?view=diff&rev=513987&r1=513986&r2=513987
> ==============================================================================
> --- portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml (original)
> +++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml Fri Mar 2 14:06:45 2007
> @@ -32,6 +32,11 @@
> </context-param>
>
> <filter>
> + <filter-name>XXSUrlAttackFilter</filter-name>
> + <filter-class>org.apache.jetspeed.engine.servlet.XXSUrlAttackFilter</filter-class>
> + </filter>
> +
> + <filter>
> <filter-name>staticResourceCachingFilter</filter-name>
> <filter-class>org.apache.jetspeed.engine.servlet.StaticResourceCachingFilter</filter-class>
> <init-param>
> @@ -41,9 +46,15 @@
> </filter>
>
> <filter-mapping>
> + <filter-name>XXSUrlAttackFilter</filter-name>
> + <url-pattern>/*</url-pattern>
> + </filter-mapping>
> +
> + <filter-mapping>
> <filter-name>staticResourceCachingFilter</filter-name>
> <servlet-name>default</servlet-name>
> - </filter-mapping>
> + </filter-mapping>
> +
> <!--
> <filter>
> <filter-name>PortalFilter</filter-name>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org