You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/03/02 11:51:19 UTC

svn commit: r1825713 - in /tomcat/trunk: java/org/apache/catalina/manager/JMXProxyServlet.java webapps/docs/changelog.xml

Author: markt
Date: Fri Mar  2 11:51:19 2018
New Revision: 1825713

URL: http://svn.apache.org/viewvc?rev=1825713&view=rev
Log:
Work-around a known, non-specification compliant behaviour in some versions of IE that can allow XSS when using the JMX proxy feature of the Manager application.
Based on a suggestion from Muthukumar Marikani.

Modified:
    tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java?rev=1825713&r1=1825712&r2=1825713&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java Fri Mar  2 11:51:19 2018
@@ -84,6 +84,10 @@ public class JMXProxyServlet extends Htt
     public void doGet(HttpServletRequest request, HttpServletResponse response)
             throws IOException, ServletException {
         response.setContentType("text/plain");
+        // Stop older versions of IE thinking they know best. We set text/plain
+        // in the line above for a reason. IE's behaviour is unwanted at best
+        // and dangerous at worst.
+        response.setHeader("X-Content-Type-Options", "nosniff");
 
         PrintWriter writer = response.getWriter();
 

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1825713&r1=1825712&r2=1825713&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Mar  2 11:51:19 2018
@@ -157,6 +157,12 @@
         Add support for specifying the application version when deploying an
         application via the Manager application HTML interface. (markt)
       </add>
+      <add>
+        Work-around a known, non-specification compliant behaviour in some
+        versions of IE that can allow XSS when using the JMX proxy feature of
+        the Manager application. Based on a suggestion from Muthukumar Marikani.
+        (markt)
+      </add>
     </changelog>
   </subsection>
 </section>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r1825713 - in /tomcat/trunk: java/org/apache/catalina/manager/JMXProxyServlet.java webapps/docs/changelog.xml

Posted by Mark Thomas <ma...@apache.org>.

On 02/03/18 17:05, Mark Thomas wrote:
> On 02/03/18 15:33, Konstantin Kolinko wrote:
>> 2018-03-02 14:51 GMT+03:00  <ma...@apache.org>:
>>> Author: markt
>>> Date: Fri Mar  2 11:51:19 2018
>>> New Revision: 1825713
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1825713&view=rev
>>> Log:
>>> Work-around a known, non-specification compliant behaviour in some versions of IE that can allow XSS when using the JMX proxy feature of the Manager application.
>>> Based on a suggestion from Muthukumar Marikani.
>>
>> It may be worth to add the same to ManagerServlet, HostManagerServlet
>> that use text/plain as well.
> 
> I'm not sure. I'll take a closer look but the first one I looked at was
> HTML escaped because it is used by both Manager and HTMLManager.

It didn't take me long to find a route to an unescaped value. I'll
expand this work-around to cover all the Manger and Host Manager
servlets that return text/plain.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r1825713 - in /tomcat/trunk: java/org/apache/catalina/manager/JMXProxyServlet.java webapps/docs/changelog.xml

Posted by Mark Thomas <ma...@apache.org>.

On 02/03/18 15:33, Konstantin Kolinko wrote:
> 2018-03-02 14:51 GMT+03:00  <ma...@apache.org>:
>> Author: markt
>> Date: Fri Mar  2 11:51:19 2018
>> New Revision: 1825713
>>
>> URL: http://svn.apache.org/viewvc?rev=1825713&view=rev
>> Log:
>> Work-around a known, non-specification compliant behaviour in some versions of IE that can allow XSS when using the JMX proxy feature of the Manager application.
>> Based on a suggestion from Muthukumar Marikani.
> 
> It may be worth to add the same to ManagerServlet, HostManagerServlet
> that use text/plain as well.

I'm not sure. I'll take a closer look but the first one I looked at was
HTML escaped because it is used by both Manager and HTMLManager.

> Also ManagerServlet, HostManagerServlet have an explicit charset in
> their mime-type,
> response.setContentType("text/plain;charset="+Constants.CHARSET);

Good catch. I've added that the JMX text output.

Mark

> 
> 
>> Modified:
>>     tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
>>     tomcat/trunk/webapps/docs/changelog.xml
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
>> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java?rev=1825713&r1=1825712&r2=1825713&view=diff
>> ==============================================================================
>> --- tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java (original)
>> +++ tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java Fri Mar  2 11:51:19 2018
>> @@ -84,6 +84,10 @@ public class JMXProxyServlet extends Htt
>>      public void doGet(HttpServletRequest request, HttpServletResponse response)
>>              throws IOException, ServletException {
>>          response.setContentType("text/plain");
>> +        // Stop older versions of IE thinking they know best. We set text/plain
>> +        // in the line above for a reason. IE's behaviour is unwanted at best
>> +        // and dangerous at worst.
>> +        response.setHeader("X-Content-Type-Options", "nosniff");
>>
>>          PrintWriter writer = response.getWriter();
>>
>>
>> Modified: tomcat/trunk/webapps/docs/changelog.xml
>> URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1825713&r1=1825712&r2=1825713&view=diff
>> ==============================================================================
>> --- tomcat/trunk/webapps/docs/changelog.xml (original)
>> +++ tomcat/trunk/webapps/docs/changelog.xml Fri Mar  2 11:51:19 2018
>> @@ -157,6 +157,12 @@
>>          Add support for specifying the application version when deploying an
>>          application via the Manager application HTML interface. (markt)
>>        </add>
>> +      <add>
>> +        Work-around a known, non-specification compliant behaviour in some
>> +        versions of IE that can allow XSS when using the JMX proxy feature of
>> +        the Manager application. Based on a suggestion from Muthukumar Marikani.
>> +        (markt)
>> +      </add>
>>      </changelog>
>>    </subsection>
>>  </section>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r1825713 - in /tomcat/trunk: java/org/apache/catalina/manager/JMXProxyServlet.java webapps/docs/changelog.xml

Posted by Konstantin Kolinko <kn...@gmail.com>.

2018-03-02 14:51 GMT+03:00  <ma...@apache.org>:
> Author: markt
> Date: Fri Mar  2 11:51:19 2018
> New Revision: 1825713
>
> URL: http://svn.apache.org/viewvc?rev=1825713&view=rev
> Log:
> Work-around a known, non-specification compliant behaviour in some versions of IE that can allow XSS when using the JMX proxy feature of the Manager application.
> Based on a suggestion from Muthukumar Marikani.

It may be worth to add the same to ManagerServlet, HostManagerServlet
that use text/plain as well.

Also ManagerServlet, HostManagerServlet have an explicit charset in
their mime-type,
response.setContentType("text/plain;charset="+Constants.CHARSET);


> Modified:
>     tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
>     tomcat/trunk/webapps/docs/changelog.xml
>
> Modified: tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java?rev=1825713&r1=1825712&r2=1825713&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java Fri Mar  2 11:51:19 2018
> @@ -84,6 +84,10 @@ public class JMXProxyServlet extends Htt
>      public void doGet(HttpServletRequest request, HttpServletResponse response)
>              throws IOException, ServletException {
>          response.setContentType("text/plain");
> +        // Stop older versions of IE thinking they know best. We set text/plain
> +        // in the line above for a reason. IE's behaviour is unwanted at best
> +        // and dangerous at worst.
> +        response.setHeader("X-Content-Type-Options", "nosniff");
>
>          PrintWriter writer = response.getWriter();
>
>
> Modified: tomcat/trunk/webapps/docs/changelog.xml
> URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1825713&r1=1825712&r2=1825713&view=diff
> ==============================================================================
> --- tomcat/trunk/webapps/docs/changelog.xml (original)
> +++ tomcat/trunk/webapps/docs/changelog.xml Fri Mar  2 11:51:19 2018
> @@ -157,6 +157,12 @@
>          Add support for specifying the application version when deploying an
>          application via the Manager application HTML interface. (markt)
>        </add>
> +      <add>
> +        Work-around a known, non-specification compliant behaviour in some
> +        versions of IE that can allow XSS when using the JMX proxy feature of
> +        the Manager application. Based on a suggestion from Muthukumar Marikani.
> +        (markt)
> +      </add>
>      </changelog>
>    </subsection>
>  </section>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org