You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by la...@apache.org on 2001/03/19 22:09:09 UTC

cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util/http HttpMessages.java

larryi      01/03/19 13:09:09

  Modified:    src/share/org/apache/tomcat/modules/generators
                        ErrorHandler.java
               src/share/org/apache/tomcat/util/http HttpMessages.java
  Log:
  Port tomcat_32 security fix by Craig McClanahan
  
  For Tomcat 3.2, fix the security vulnerability reported by Hiromitsu
  Takagi.As with Tomcat 4.0, the problem is not related to JSP
  specifically.It was caused by the fact that the original request URI was
  included in the standard error page produced by Tomcat for errors like 404
  (not found), which was the illustration in this case.
  
  WARNING:Web apps that echo the request URI in their responses (either in
  a standard response or in an error page) can be subject to this same kind
  of vulnerability.
  
  Revision  Changes    Path
  1.9       +8 -7      jakarta-tomcat/src/share/org/apache/tomcat/modules/generators/ErrorHandler.java
  
  Index: ErrorHandler.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/generators/ErrorHandler.java,v
  retrieving revision 1.8
  retrieving revision 1.9
  diff -u -r1.8 -r1.9
  --- ErrorHandler.java	2001/03/02 04:49:19	1.8
  +++ ErrorHandler.java	2001/03/19 21:09:06	1.9
  @@ -62,6 +62,7 @@
   import org.apache.tomcat.core.*;
   import org.apache.tomcat.util.res.StringManager;
   import org.apache.tomcat.util.qlog.Logger;
  +import org.apache.tomcat.util.http.HttpMessages;
   import java.io.*;
   import java.net.*;
   import java.util.*;
  @@ -420,14 +421,14 @@
   	    .append("</h1>\r\n");
   	buf.append(sm.getString("defaulterrorpage.originalrequest"))
   	    .append(" ")
  -	    .append( requestURI )
  +	    .append( HttpMessages.filter( requestURI ) )
   	    .append("\r\n");
   
   	if ( null != requestURI && showDebugInfo ) {
   	    buf.append("<br><br>\r\n<b>")
   		.append(sm.getString("defaulterrorpage.notfoundrequest"))
   		.append("</b> ")
  -		.append( requestURI )
  +		.append( HttpMessages.filter( requestURI ) )
   		.append("\r\n");
   	}
   
  @@ -517,14 +518,14 @@
   	buf.append("<h2>")
   	    .append(sm.getString("defaulterrorpage.location"))
   	    .append(" ")
  -	    .append(req.requestURI().toString())
  +	    .append( HttpMessages.filter( req.requestURI().toString() ) )
   	    .append("</h2>");
   
   	if ( null != errorURI && showDebugInfo ) {
   	    buf.append("\r\n<h2>")
   		.append(sm.getString("defaulterrorpage.errorlocation"))
   		.append(" ")
  -		.append(errorURI)
  +		.append( HttpMessages.filter( errorURI ) )
   		.append("</h2>");
   	}
   
  @@ -622,14 +623,14 @@
   	buf.append("<h2>")
   	    .append(sm.getString("defaulterrorpage.location"))
   	    .append(" ")
  -	    .append(req.requestURI().toString())
  +	    .append( HttpMessages.filter( req.requestURI().toString() ) )
   	    .append("</h2>");
   
   	if ( sc >= 400 && errorURI != null && showDebugInfo) {
   	    buf.append("\r\n<h2>")
   		.append(sm.getString("defaulterrorpage.errorlocation"))
   		.append(" ")
  -		.append(errorURI)
  +		.append( HttpMessages.filter( errorURI ) )
   		.append("</h2>");
   	}
   
  @@ -714,7 +715,7 @@
   	    append("</h1>\r\n").
   	    append(sm.getString("defaulterrorpage.thisdocumenthasmoved")).
   	    append(" <a href=\"").
  -	    append(location).
  +	    append( HttpMessages.filter( location ) ).
   	    append("\">here</a>.<p>\r\n</body>\r\n");
   
   	res.setContentLength(buf.length());
  
  
  
  1.3       +37 -0     jakarta-tomcat/src/share/org/apache/tomcat/util/http/HttpMessages.java
  
  Index: HttpMessages.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/http/HttpMessages.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- HttpMessages.java	2001/02/20 03:14:11	1.2
  +++ HttpMessages.java	2001/03/19 21:09:08	1.3
  @@ -114,4 +114,41 @@
   	}
   	return sm.getString("sc."+ status);
       }
  +
  +    /**
  +     * Filter the specified message string for characters that are sensitive
  +     * in HTML.  This avoids potential attacks caused by including JavaScript
  +     * codes in the request URL that is often reported in error messages.
  +     *
  +     * @param message The message string to be filtered
  +     */
  +    public static String filter(String message) {
  +
  +	if (message == null)
  +	    return (null);
  +
  +	char content[] = new char[message.length()];
  +	message.getChars(0, message.length(), content, 0);
  +	StringBuffer result = new StringBuffer(content.length + 50);
  +	for (int i = 0; i < content.length; i++) {
  +	    switch (content[i]) {
  +	    case '<':
  +		result.append("&lt;");
  +		break;
  +	    case '>':
  +		result.append("&gt;");
  +		break;
  +	    case '&':
  +		result.append("&amp;");
  +		break;
  +	    case '"':
  +		result.append("&quot;");
  +		break;
  +	    default:
  +		result.append(content[i]);
  +	    }
  +	}
  +	return (result.toString());
  +    }
  +
   }