You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/03/02 18:45:28 UTC

svn commit: r1825738 - in /tomcat/trunk: java/org/apache/catalina/manager/JMXProxyServlet.java java/org/apache/catalina/manager/ManagerServlet.java java/org/apache/catalina/manager/host/HostManagerServlet.java webapps/docs/changelog.xml

Author: markt
Date: Fri Mar  2 18:45:28 2018
New Revision: 1825738

URL: http://svn.apache.org/viewvc?rev=1825738&view=rev
Log:
Extend work-around to all text/plain responses from Manager and Host Manager.

Modified:
    tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
    tomcat/trunk/java/org/apache/catalina/manager/ManagerServlet.java
    tomcat/trunk/java/org/apache/catalina/manager/host/HostManagerServlet.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java?rev=1825738&r1=1825737&r2=1825738&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java Fri Mar  2 18:45:28 2018
@@ -88,7 +88,6 @@ public class JMXProxyServlet extends Htt
         // in the line above for a reason. IE's behaviour is unwanted at best
         // and dangerous at worst.
         response.setHeader("X-Content-Type-Options", "nosniff");
-
         PrintWriter writer = response.getWriter();
 
         if (mBeanServer == null) {

Modified: tomcat/trunk/java/org/apache/catalina/manager/ManagerServlet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/ManagerServlet.java?rev=1825738&r1=1825737&r2=1825738&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/manager/ManagerServlet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/manager/ManagerServlet.java Fri Mar  2 18:45:28 2018
@@ -340,6 +340,10 @@ public class ManagerServlet extends Http
 
         // Prepare our output writer to generate the response message
         response.setContentType("text/plain; charset=" + Constants.CHARSET);
+        // Stop older versions of IE thinking they know best. We set text/plain
+        // in the line above for a reason. IE's behaviour is unwanted at best
+        // and dangerous at worst.
+        response.setHeader("X-Content-Type-Options", "nosniff");
         PrintWriter writer = response.getWriter();
 
         // Process the requested command
@@ -435,6 +439,10 @@ public class ManagerServlet extends Http
 
         // Prepare our output writer to generate the response message
         response.setContentType("text/plain;charset="+Constants.CHARSET);
+        // Stop older versions of IE thinking they know best. We set text/plain
+        // in the line above for a reason. IE's behaviour is unwanted at best
+        // and dangerous at worst.
+        response.setHeader("X-Content-Type-Options", "nosniff");
         PrintWriter writer = response.getWriter();
 
         // Process the requested command

Modified: tomcat/trunk/java/org/apache/catalina/manager/host/HostManagerServlet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/host/HostManagerServlet.java?rev=1825738&r1=1825737&r2=1825738&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/manager/host/HostManagerServlet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/manager/host/HostManagerServlet.java Fri Mar  2 18:45:28 2018
@@ -205,6 +205,10 @@ public class HostManagerServlet
 
         // Prepare our output writer to generate the response message
         response.setContentType("text/plain; charset=" + Constants.CHARSET);
+        // Stop older versions of IE thinking they know best. We set text/plain
+        // in the line above for a reason. IE's behaviour is unwanted at best
+        // and dangerous at worst.
+        response.setHeader("X-Content-Type-Options", "nosniff");
         PrintWriter writer = response.getWriter();
 
         // Process the requested command

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1825738&r1=1825737&r2=1825738&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Mar  2 18:45:28 2018
@@ -159,8 +159,8 @@
       </add>
       <add>
         Work-around a known, non-specification compliant behaviour in some
-        versions of IE that can allow XSS when using the JMX proxy feature of
-        the Manager application. Based on a suggestion from Muthukumar Marikani.
+        versions of IE that can allow XSS when the Manager application generates
+        a plain text response. Based on a suggestion from Muthukumar Marikani.
         (markt)
       </add>
     </changelog>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org