You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by la...@apache.org on 2001/03/19 22:09:09 UTC
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util/http HttpMessages.java
larryi 01/03/19 13:09:09
Modified: src/share/org/apache/tomcat/modules/generators
ErrorHandler.java
src/share/org/apache/tomcat/util/http HttpMessages.java
Log:
Port tomcat_32 security fix by Craig McClanahan
For Tomcat 3.2, fix the security vulnerability reported by Hiromitsu
Takagi.As with Tomcat 4.0, the problem is not related to JSP
specifically.It was caused by the fact that the original request URI was
included in the standard error page produced by Tomcat for errors like 404
(not found), which was the illustration in this case.
WARNING:Web apps that echo the request URI in their responses (either in
a standard response or in an error page) can be subject to this same kind
of vulnerability.
Revision Changes Path
1.9 +8 -7 jakarta-tomcat/src/share/org/apache/tomcat/modules/generators/ErrorHandler.java
Index: ErrorHandler.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/generators/ErrorHandler.java,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- ErrorHandler.java 2001/03/02 04:49:19 1.8
+++ ErrorHandler.java 2001/03/19 21:09:06 1.9
@@ -62,6 +62,7 @@
import org.apache.tomcat.core.*;
import org.apache.tomcat.util.res.StringManager;
import org.apache.tomcat.util.qlog.Logger;
+import org.apache.tomcat.util.http.HttpMessages;
import java.io.*;
import java.net.*;
import java.util.*;
@@ -420,14 +421,14 @@
.append("</h1>\r\n");
buf.append(sm.getString("defaulterrorpage.originalrequest"))
.append(" ")
- .append( requestURI )
+ .append( HttpMessages.filter( requestURI ) )
.append("\r\n");
if ( null != requestURI && showDebugInfo ) {
buf.append("<br><br>\r\n<b>")
.append(sm.getString("defaulterrorpage.notfoundrequest"))
.append("</b> ")
- .append( requestURI )
+ .append( HttpMessages.filter( requestURI ) )
.append("\r\n");
}
@@ -517,14 +518,14 @@
buf.append("<h2>")
.append(sm.getString("defaulterrorpage.location"))
.append(" ")
- .append(req.requestURI().toString())
+ .append( HttpMessages.filter( req.requestURI().toString() ) )
.append("</h2>");
if ( null != errorURI && showDebugInfo ) {
buf.append("\r\n<h2>")
.append(sm.getString("defaulterrorpage.errorlocation"))
.append(" ")
- .append(errorURI)
+ .append( HttpMessages.filter( errorURI ) )
.append("</h2>");
}
@@ -622,14 +623,14 @@
buf.append("<h2>")
.append(sm.getString("defaulterrorpage.location"))
.append(" ")
- .append(req.requestURI().toString())
+ .append( HttpMessages.filter( req.requestURI().toString() ) )
.append("</h2>");
if ( sc >= 400 && errorURI != null && showDebugInfo) {
buf.append("\r\n<h2>")
.append(sm.getString("defaulterrorpage.errorlocation"))
.append(" ")
- .append(errorURI)
+ .append( HttpMessages.filter( errorURI ) )
.append("</h2>");
}
@@ -714,7 +715,7 @@
append("</h1>\r\n").
append(sm.getString("defaulterrorpage.thisdocumenthasmoved")).
append(" <a href=\"").
- append(location).
+ append( HttpMessages.filter( location ) ).
append("\">here</a>.<p>\r\n</body>\r\n");
res.setContentLength(buf.length());
1.3 +37 -0 jakarta-tomcat/src/share/org/apache/tomcat/util/http/HttpMessages.java
Index: HttpMessages.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/http/HttpMessages.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- HttpMessages.java 2001/02/20 03:14:11 1.2
+++ HttpMessages.java 2001/03/19 21:09:08 1.3
@@ -114,4 +114,41 @@
}
return sm.getString("sc."+ status);
}
+
+ /**
+ * Filter the specified message string for characters that are sensitive
+ * in HTML. This avoids potential attacks caused by including JavaScript
+ * codes in the request URL that is often reported in error messages.
+ *
+ * @param message The message string to be filtered
+ */
+ public static String filter(String message) {
+
+ if (message == null)
+ return (null);
+
+ char content[] = new char[message.length()];
+ message.getChars(0, message.length(), content, 0);
+ StringBuffer result = new StringBuffer(content.length + 50);
+ for (int i = 0; i < content.length; i++) {
+ switch (content[i]) {
+ case '<':
+ result.append("<");
+ break;
+ case '>':
+ result.append(">");
+ break;
+ case '&':
+ result.append("&");
+ break;
+ case '"':
+ result.append(""");
+ break;
+ default:
+ result.append(content[i]);
+ }
+ }
+ return (result.toString());
+ }
+
}