You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2008/06/24 23:27:38 UTC
svn commit: r671351 - in /tomcat/tc6.0.x/trunk: STATUS.txt
java/org/apache/jasper/security/SecurityUtil.java
java/org/apache/jasper/servlet/JspServlet.java webapps/docs/changelog.xml
Author: markt
Date: Tue Jun 24 14:27:37 2008
New Revision: 671351
URL: http://svn.apache.org/viewvc?rev=671351&view=rev
Log:
Provide belt and braces XSS protection. Really an app responsibility but worth protecting against in case the app forgets.
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java
tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=671351&r1=671350&r2=671351&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Tue Jun 24 14:27:37 2008
@@ -41,12 +41,6 @@
+1: markt, remm
-1:
-* Provide belt and braces XSS protection. Really an app responsbility but worth
- protecting against in case the app forgets.
- http://svn.apache.org/viewvc?rev=664483&view=rev
- +1: markt, fhanik, remm
- -1:
-
* Make fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=43285 optional
Coercion of null and "" to zero can now be disabled if required
Patch by Nils Eckert
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java?rev=671351&r1=671350&r2=671351&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java Tue Jun 24 14:27:37 2008
@@ -40,5 +40,42 @@
return false;
}
-
+
+ /**
+ * Filter the specified message string for characters that are sensitive
+ * in HTML. This avoids potential attacks caused by including JavaScript
+ * codes in the request URL that is often reported in error messages.
+ *
+ * @param message The message string to be filtered
+ */
+ public static String filter(String message) {
+
+ if (message == null)
+ return (null);
+
+ char content[] = new char[message.length()];
+ message.getChars(0, message.length(), content, 0);
+ StringBuffer result = new StringBuffer(content.length + 50);
+ for (int i = 0; i < content.length; i++) {
+ switch (content[i]) {
+ case '<':
+ result.append("<");
+ break;
+ case '>':
+ result.append(">");
+ break;
+ case '&':
+ result.append("&");
+ break;
+ case '"':
+ result.append(""");
+ break;
+ default:
+ result.append(content[i]);
+ }
+ }
+ return (result.toString());
+
+ }
+
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java?rev=671351&r1=671350&r2=671351&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java Tue Jun 24 14:27:37 2008
@@ -35,6 +35,7 @@
import org.apache.jasper.Options;
import org.apache.jasper.compiler.JspRuntimeContext;
import org.apache.jasper.compiler.Localizer;
+import org.apache.jasper.security.SecurityUtil;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -311,8 +312,12 @@
if (includeRequestUri != null) {
// This file was included. Throw an exception as
// a response.sendError() will be ignored
- throw new ServletException(Localizer.getMessage(
- "jsp.error.file.not.found",jspUri));
+ String msg = Localizer.getMessage(
+ "jsp.error.file.not.found",jspUri);
+ // Strictly, filtering this is an application
+ // responsibility but just in case...
+ throw new ServletException(
+ SecurityUtil.filter(msg));
} else {
try {
response.sendError(
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=671351&r1=671350&r2=671351&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Tue Jun 24 14:27:37 2008
@@ -303,6 +303,12 @@
<bug>44994</bug>: Enable nested conditional expressions in JSP EL. Patch
provided by James Manger. (markt)
</fix>
+ <add>
+ Add HTML filtering of error messages for included resources in case the
+ app has tried to include an unsafe URL that does not exist. This is
+ really an app responsibility but the filtering has been added for XSS
+ safety. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Webapps">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org