You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/06/23 10:44:25 UTC
svn commit: r1604714 - in /tomcat/trunk/webapps: docs/changelog.xml
examples/WEB-INF/classes/CookieExample.java
examples/WEB-INF/classes/util/CookieFilter.java
Author: markt
Date: Mon Jun 23 08:44:24 2014
New Revision: 1604714
URL: http://svn.apache.org/r1604714
Log:
Extend attempts at obfuscation to the Cookies example
Modified:
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/examples/WEB-INF/classes/CookieExample.java
tomcat/trunk/webapps/examples/WEB-INF/classes/util/CookieFilter.java
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1604714&r1=1604713&r2=1604714&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Jun 23 08:44:24 2014
@@ -59,8 +59,9 @@
(markt/kkolinko)
</scode>
<fix>
- Fix regression in <code>StandardContext.removeApplicationListener()</code>,
- introduced by the fix for bug <bug>56588</bug>. (kkolinko)
+ Fix regression in
+ <code>StandardContext.removeApplicationListener()</code>, introduced by
+ the fix for bug <bug>56588</bug>. (kkolinko)
</fix>
<fix>
<bug>56653</bug>: Fix concurrency issue with
@@ -82,6 +83,18 @@
</scode>
</changelog>
</subsection>
+ <subsection name="Web applications">
+ <changelog>
+ <fix>
+ Attempt to obfuscate session cookie values associated with other web
+ applications when viewing HTTP request headers with the Cookies example
+ from the examples web application. This reduces the opportunity to use
+ this example for malicious purposes should the advice to remove the
+ examples web application from security sensitive systems be ignored.
+ (markt)
+ </fix>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 8.0.9 (markt)">
<subsection name="Catalina">
Modified: tomcat/trunk/webapps/examples/WEB-INF/classes/CookieExample.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/classes/CookieExample.java?rev=1604714&r1=1604713&r2=1604714&view=diff
==============================================================================
--- tomcat/trunk/webapps/examples/WEB-INF/classes/CookieExample.java (original)
+++ tomcat/trunk/webapps/examples/WEB-INF/classes/CookieExample.java Mon Jun 23 08:44:24 2014
@@ -24,7 +24,9 @@ import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import util.CookieFilter;
import util.HTMLFilter;
/**
@@ -84,13 +86,19 @@ public class CookieExample extends HttpS
Cookie[] cookies = request.getCookies();
if ((cookies != null) && (cookies.length > 0)) {
+ HttpSession session = request.getSession(false);
+ String sessionId = null;
+ if (session != null) {
+ sessionId = session.getId();
+ }
out.println(RB.getString("cookies.cookies") + "<br>");
for (int i = 0; i < cookies.length; i++) {
Cookie cookie = cookies[i];
- out.print("Cookie Name: " + HTMLFilter.filter(cookie.getName())
- + "<br>");
+ String cName = cookie.getName();
+ String cValue = cookie.getValue();
+ out.print("Cookie Name: " + HTMLFilter.filter(cName) + "<br>");
out.println(" Cookie Value: "
- + HTMLFilter.filter(cookie.getValue())
+ + HTMLFilter.filter(CookieFilter.filter(cName, cValue, sessionId))
+ "<br><br>");
}
} else {
Modified: tomcat/trunk/webapps/examples/WEB-INF/classes/util/CookieFilter.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/classes/util/CookieFilter.java?rev=1604714&r1=1604713&r2=1604714&view=diff
==============================================================================
--- tomcat/trunk/webapps/examples/WEB-INF/classes/util/CookieFilter.java (original)
+++ tomcat/trunk/webapps/examples/WEB-INF/classes/util/CookieFilter.java Mon Jun 23 08:44:24 2014
@@ -40,14 +40,14 @@ public class CookieFilter {
// Hide default constructor
}
- public static String filter(String input, String sessionId) {
+ public static String filter(String cookieHeader, String sessionId) {
- StringBuilder sb = new StringBuilder(input.length());
+ StringBuilder sb = new StringBuilder(cookieHeader.length());
// Cookie name value pairs are ';' separated.
// Session IDs don't use ; in the value so don't worry about quoted
// values that contain ;
- StringTokenizer st = new StringTokenizer(input, ";");
+ StringTokenizer st = new StringTokenizer(cookieHeader, ";");
boolean first = true;
while (st.hasMoreTokens()) {
@@ -71,11 +71,15 @@ public class CookieFilter {
String name = input.substring(0, i);
String value = input.substring(i + 1, input.length());
- if (name.toLowerCase(Locale.ENGLISH).contains("jsessionid") &&
- (sessionId == null || !value.contains(sessionId))) {
- value = OBFUSCATED;
+ return name + "=" + filter(name, value, sessionId);
+ }
+
+ public static String filter(String cookieName, String cookieValue, String sessionId) {
+ if (cookieName.toLowerCase(Locale.ENGLISH).contains("jsessionid") &&
+ (sessionId == null || !cookieValue.contains(sessionId))) {
+ cookieValue = OBFUSCATED;
}
- return name + "=" + value;
+ return cookieValue;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org