larryi 2003/02/16 15:14:01
Modified: src/examples/WEB-INF/classes CookieExample.java
CookieExample1.java RequestHeaderExample.java
RequestInfoExample.java RequestParamExample.java
SessionExample.java SnoopServlet.java
src/examples/jsp/cal cal1.jsp calendar.html
src/examples/jsp/checkbox checkresult.jsp
src/examples/jsp/sessions carts.jsp
src/examples/jsp/snp snoop.jsp
Added: src/examples/WEB-INF/classes/util HTMLFilter.java
Log:
Fix cross site scripting vulnerabilities. Mostly a port of Remy's fixes from
Tomcat 4.1.x.
Revision Changes Path
1.2 +13 -8 jakarta-tomcat/src/examples/WEB-INF/classes/CookieExample.java
Index: CookieExample.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/CookieExample.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- CookieExample.java 9 Oct 1999 00:19:59 -0000 1.1
+++ CookieExample.java 16 Feb 2003 23:13:59 -0000 1.2
@@ -8,6 +8,8 @@
import javax.servlet.*;
import javax.servlet.http.*;
+import util.HTMLFilter;
+
/**
* Example servlet showing request headers
*
@@ -50,13 +52,15 @@
out.println("<h3>" + title + "</h3>");
Cookie[] cookies = request.getCookies();
- if (cookies.length > 0) {
+ if ((cookies != null) && (cookies.length > 0)) {
out.println(rb.getString("cookies.cookies") + "<br>");
for (int i = 0; i < cookies.length; i++) {
Cookie cookie = cookies[i];
- out.print("Cookie Name: " + cookie.getName() + "<br>");
- out.println(" Cookie Value: " + cookie.getValue() +
- "<br><br>");
+ out.print("Cookie Name: " + HTMLFilter.filter(cookie.getName())
+ + "<br>");
+ out.println(" Cookie Value: "
+ + HTMLFilter.filter(cookie.getValue())
+ + "<br><br>");
}
} else {
out.println(rb.getString("cookies.no-cookies"));
@@ -69,9 +73,10 @@
response.addCookie(cookie);
out.println("<P>");
out.println(rb.getString("cookies.set") + "<br>");
- out.print(rb.getString("cookies.name") + " " + cookieName +
- "<br>");
- out.print(rb.getString("cookies.value") + " " + cookieValue);
+ out.print(rb.getString("cookies.name") + " "
+ + HTMLFilter.filter(cookieName) + "<br>");
+ out.print(rb.getString("cookies.value") + " "
+ + HTMLFilter.filter(cookieValue));
}
out.println("<P>");
1.3 +22 -11 jakarta-tomcat/src/examples/WEB-INF/classes/CookieExample1.java
Index: CookieExample1.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/CookieExample1.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- CookieExample1.java 26 Dec 2000 22:46:39 -0000 1.2
+++ CookieExample1.java 16 Feb 2003 23:13:59 -0000 1.3
@@ -8,6 +8,8 @@
import javax.servlet.*;
import javax.servlet.http.*;
+import util.HTMLFilter;
+
/**
* Example servlet showing request headers
*
@@ -50,16 +52,24 @@
out.println("<h3>" + title + "</h3>");
Cookie[] cookies = request.getCookies();
- if (cookies.length > 0) {
+ if ((cookies != null) && (cookies.length > 0)) {
out.println(rb.getString("cookies.cookies") + "<br>");
for (int i = 0; i < cookies.length; i++) {
Cookie cookie = cookies[i];
- out.print("Cookie Name: " + cookie.getName() + "<br>");
- out.print("Cookie Value: " + cookie.getValue() + "<br>");
- out.println("Cookie Version: " + cookie.getVersion() + "<br>");
- out.println("Cookie Domain: " + cookie.getDomain() + "<br>");
- out.println("Cookie Path: " + cookie.getPath() + "<br>");
- out.println("<br>");
+ out.print("Cookie Name: " + HTMLFilter.filter(cookie.getName())
+ + "<br>");
+ out.println(" Cookie Value: "
+ + HTMLFilter.filter(cookie.getValue())
+ + "<br><br>");
+ out.println("Cookie Version: " + cookie.getVersion()
+ + "<br>");
+ out.println("Cookie Domain: "
+ + HTMLFilter.filter(cookie.getDomain())
+ + "<br>");
+ out.println("Cookie Path: "
+ + HTMLFilter.filter(cookie.getPath())
+ + "<br>");
+ out.println("<br>");
}
} else {
out.println(rb.getString("cookies.no-cookies"));
@@ -97,9 +107,10 @@
response.addCookie(cookie);
out.println("<P>");
out.println(rb.getString("cookies.set") + "<br>");
- out.print(rb.getString("cookies.name") + " " + cookieName +
- "<br>");
- out.print(rb.getString("cookies.value") + " " + cookieValue);
+ out.print(rb.getString("cookies.name") + " "
+ + HTMLFilter.filter(cookieName) + "<br>");
+ out.print(rb.getString("cookies.value") + " "
+ + HTMLFilter.filter(cookieValue));
}
out.println("<P>");
1.2 +8 -3
jakarta-tomcat/src/examples/WEB-INF/classes/RequestHeaderExample.java
Index: RequestHeaderExample.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/RequestHeaderExample.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- RequestHeaderExample.java 9 Oct 1999 00:19:59 -0000 1.1
+++ RequestHeaderExample.java 16 Feb 2003 23:13:59 -0000 1.2
@@ -8,6 +8,8 @@
import javax.servlet.*;
import javax.servlet.http.*;
+import util.HTMLFilter;
+
/**
* Example servlet showing request headers
*
@@ -53,8 +55,11 @@
while (e.hasMoreElements()) {
String headerName = (String)e.nextElement();
String headerValue = request.getHeader(headerName);
- out.println("<tr><td bgcolor=\"#CCCCCC\">" + headerName);
- out.println("</td><td>" + headerValue + "</td></tr>");
+ out.println("<tr><td bgcolor=\"#CCCCCC\">");
+ out.println(HTMLFilter.filter(headerName));
+ out.println("</td><td>");
+ out.println(HTMLFilter.filter(headerValue));
+ out.println("</td></tr>");
}
out.println("</table>");
}
1.3 +4 -3
jakarta-tomcat/src/examples/WEB-INF/classes/RequestInfoExample.java
Index: RequestInfoExample.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/RequestInfoExample.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- RequestInfoExample.java 7 Dec 2001 05:15:10 -0000 1.2
+++ RequestInfoExample.java 16 Feb 2003 23:13:59 -0000 1.3
@@ -8,6 +8,7 @@
import javax.servlet.*;
import javax.servlet.http.*;
+import util.HTMLFilter;
/**
* Example servlet showing request information.
@@ -58,7 +59,7 @@
out.println("</td></tr><tr><td>");
out.println(rb.getString("requestinfo.label.requesturi"));
out.println("</td><td>");
- out.println(request.getRequestURI());
+ out.println(HTMLFilter.filter(request.getRequestURI()));
out.println("</td></tr><tr><td>");
out.println(rb.getString("requestinfo.label.protocol"));
out.println("</td><td>");
@@ -66,7 +67,7 @@
out.println("</td></tr><tr><td>");
out.println(rb.getString("requestinfo.label.pathinfo"));
out.println("</td><td>");
- out.println(request.getPathInfo());
+ out.println(HTMLFilter.filter(request.getPathInfo()));
out.println("</td></tr><tr><td>");
out.println(rb.getString("requestinfo.label.remoteaddr"));
out.println("</td><td>");
1.2 +4 -4
jakarta-tomcat/src/examples/WEB-INF/classes/RequestParamExample.java
Index: RequestParamExample.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/RequestParamExample.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- RequestParamExample.java 9 Oct 1999 00:20:00 -0000 1.1
+++ RequestParamExample.java 16 Feb 2003 23:13:59 -0000 1.2
@@ -8,7 +8,7 @@
import javax.servlet.*;
import javax.servlet.http.*;
-
+import util.HTMLFilter;
/**
* Example servlet showing request headers
@@ -58,9 +58,9 @@
out.println(rb.getString("requestparams.params-in-req") + "<br>");
if (firstName != null || lastName != null) {
out.println(rb.getString("requestparams.firstname"));
- out.println(" = " + firstName + "<br>");
+ out.println(" = " + HTMLFilter.filter(firstName) + "<br>");
out.println(rb.getString("requestparams.lastname"));
- out.println(" = " + lastName);
+ out.println(" = " + HTMLFilter.filter(lastName));
} else {
out.println(rb.getString("requestparams.no-params"));
}
1.4 +4 -3 jakarta-tomcat/src/examples/WEB-INF/classes/SessionExample.java
Index: SessionExample.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/SessionExample.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- SessionExample.java 6 Mar 2001 21:29:46 -0000 1.3
+++ SessionExample.java 16 Feb 2003 23:13:59 -0000 1.4
@@ -8,7 +8,7 @@
import javax.servlet.*;
import javax.servlet.http.*;
-
+import util.HTMLFilter;
/**
* Example servlet showing request headers
@@ -82,7 +82,8 @@
while (names.hasMoreElements()) {
String name = (String) names.nextElement();
String value = session.getAttribute(name).toString();
- out.println(name + " = " + value + "<br>");
+ out.println(HTMLFilter.filter(name) + " = "
+ + HTMLFilter.filter(value) + "<br>");
}
}
1.3 +15 -14 jakarta-tomcat/src/examples/WEB-INF/classes/SnoopServlet.java
Index: SnoopServlet.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/SnoopServlet.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- SnoopServlet.java 15 Oct 1999 21:31:48 -0000 1.2
+++ SnoopServlet.java 16 Feb 2003 23:13:59 -0000 1.3
@@ -7,6 +7,7 @@
import java.util.Enumeration;
import javax.servlet.*;
import javax.servlet.http.*;
+import util.HTMLFilter;
/**
*
@@ -58,21 +59,21 @@
while (e.hasMoreElements()) {
String key = (String)e.nextElement();
Object value = request.getAttribute(key);
- out.println(" " + key + " = " + value);
+ out.println(" " + HTMLFilter.filter(key) + " = " + value);
}
out.println();
out.println("Servlet Name: " + getServletName());
out.println("Protocol: " + request.getProtocol());
out.println("Scheme: " + request.getScheme());
- out.println("Server Name: " + request.getServerName());
+ out.println("Server Name: " + HTMLFilter.filter(request.getServerName()));
out.println("Server Port: " + request.getServerPort());
out.println("Server Info: " + context.getServerInfo());
out.println("Remote Addr: " + request.getRemoteAddr());
out.println("Remote Host: " + request.getRemoteHost());
- out.println("Character Encoding: " + request.getCharacterEncoding());
+ out.println("Character Encoding: " +
HTMLFilter.filter(request.getCharacterEncoding()));
out.println("Content Length: " + request.getContentLength());
- out.println("Content Type: "+ request.getContentType());
- out.println("Locale: "+ request.getLocale());
+ out.println("Content Type: "+ HTMLFilter.filter(request.getContentType()));
+ out.println("Locale: "+ HTMLFilter.filter(request.getLocale().toString()));
out.println("Default Response Buffer: "+ response.getBufferSize());
out.println();
out.println("Parameter names in this request:");
@@ -80,9 +81,9 @@
while (e.hasMoreElements()) {
String key = (String)e.nextElement();
String[] values = request.getParameterValues(key);
- out.print(" " + key + " = ");
+ out.print(" " + HTMLFilter.filter(key) + " = ");
for(int i = 0; i < values.length; i++) {
- out.print(values[i] + " ");
+ out.print(HTMLFilter.filter(values[i]) + " ");
}
out.println();
}
@@ -92,14 +93,14 @@
while (e.hasMoreElements()) {
String key = (String)e.nextElement();
String value = request.getHeader(key);
- out.println(" " + key + ": " + value);
+ out.println(HTMLFilter.filter(" " + key + ": " + value));
}
out.println();
out.println("Cookies in this request:");
Cookie[] cookies = request.getCookies();
for (int i = 0; i < cookies.length; i++) {
Cookie cookie = cookies[i];
- out.println(" " + cookie.getName() + " = " + cookie.getValue());
+ out.println(HTMLFilter.filter(" " + cookie.getName() + " = " +
cookie.getValue()));
}
out.println();
@@ -110,14 +111,14 @@
out.println("Request URI: " + request.getRequestURI());
out.println("Context Path: " + request.getContextPath());
out.println("Servlet Path: " + request.getServletPath());
- out.println("Path Info: " + request.getPathInfo());
+ out.println("Path Info: " + HTMLFilter.filter(request.getPathInfo()));
out.println("Path Trans: " + request.getPathTranslated());
- out.println("Query String: " + request.getQueryString());
+ out.println("Query String: " + HTMLFilter.filter(request.getQueryString()));
out.println();
HttpSession session = request.getSession();
out.println("Requested Session Id: " +
- request.getRequestedSessionId());
+ HTMLFilter.filter(request.getRequestedSessionId()));
out.println("Current Session Id: " + session.getId());
out.println("Session Created Time: " + session.getCreationTime());
out.println("Session Last Accessed Time: " +
@@ -129,7 +130,7 @@
Enumeration names = session.getAttributeNames();
while (names.hasMoreElements()) {
String name = (String) names.nextElement();
- out.println(" " + name + " = " + session.getAttribute(name));
+ out.println(HTMLFilter.filter(" " + name + " = " +
session.getAttribute(name)));
}
}
}
1.1 jakarta-tomcat/src/examples/WEB-INF/classes/util/HTMLFilter.java
Index: HTMLFilter.java
===================================================================
/*
* $Header:
/home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/util/HTMLFilter.java,v 1.1
2003/02/16 23:14:00 larryi Exp $
* $Revision: 1.1 $
* $Date: 2003/02/16 23:14:00 $
*
* ====================================================================
*
* The Apache Software License, Version 1.1
*
* Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package util;
/**
* HTML filter utility.
*
* @author Craig R. McClanahan
* @author Tim Tye
* @version $Revision: 1.1 $
*/
public final class HTMLFilter {
/**
* Filter the specified message string for characters that are sensitive
* in HTML. This avoids potential attacks caused by including JavaScript
* codes in the request URL that is often reported in error messages.
*
* @param message The message string to be filtered
*/
public static String filter(String message) {
if (message == null)
return (null);
char content[] = new char[message.length()];
message.getChars(0, message.length(), content, 0);
StringBuffer result = new StringBuffer(content.length + 50);
for (int i = 0; i < content.length; i++) {
switch (content[i]) {
case '<':
result.append("<");
break;
case '>':
result.append(">");
break;
case '&':
result.append("&");
break;
case '"':
result.append(""");
break;
default:
result.append(content[i]);
}
}
return (result.toString());
}
}
1.3 +3 -3 jakarta-tomcat/src/examples/jsp/cal/cal1.jsp
Index: cal1.jsp
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/examples/jsp/cal/cal1.jsp,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- cal1.jsp 20 Oct 1999 20:39:18 -0000 1.2
+++ cal1.jsp 16 Feb 2003 23:14:00 -0000 1.3
@@ -45,7 +45,7 @@
<%= entr.getHour() %> </A>
</TD>
<TD BGCOLOR=<%= entr.getColor() %>>
- <%= entr.getDescription() %>
+ <% out.print(util.HTMLFilter.filter(entr.getDescription())); %>
</TD>
</TR>
<%
@@ -58,8 +58,8 @@
<!-- footer -->
<TABLE WIDTH=60% BGCOLOR=yellow CELLPADDING=15>
<TR>
-<TD ALIGN=CENTER> <%= table.getName() %> :
- <%= table.getEmail() %> </TD>
+<TD ALIGN=CENTER> <% out.print(util.HTMLFilter.filter(table.getName())); %> :
+ <% out.print(util.HTMLFilter.filter(table.getEmail())); %> </TD>
</TR>
</TABLE>
</CENTER>
1.4 +2 -2 jakarta-tomcat/src/examples/jsp/cal/calendar.html
Index: calendar.html
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/examples/jsp/cal/calendar.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- calendar.html 10 Mar 2001 03:00:54 -0000 1.3
+++ calendar.html 16 Feb 2003 23:14:00 -0000 1.4
@@ -13,9 +13,9 @@
<p><font color="#0000FF"><a href="login.html"><img src="../../images/execute.gif"
align="right" border="0"></a><a href="../index.html"><img
src="../../images/return.gif" width="24" height="24" align="right"
border="0"></a></font></p>
<h2> Source Code for Calendar Example. <br>
-<h3><a href="/examples/jsp/source.jsp?/jsp/cal/cal1.jsp">cal1.jsp<font
color="#0000FF"></a>
+<h3><a href="cal1.txt">cal1.jsp<font color="#0000FF"></a>
</font> </h3>
-<h3><a href="/examples/jsp/source.jsp?/jsp/cal/cal2.jsp">cal2.jsp<font
color="#0000FF"></a>
+<h3><a href="cal2.txt">cal2.jsp<font color="#0000FF"></a>
</font> </h3>
<br>
1.3 +2 -2 jakarta-tomcat/src/examples/jsp/checkbox/checkresult.jsp
Index: checkresult.jsp
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/examples/jsp/checkbox/checkresult.jsp,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- checkresult.jsp 20 Oct 1999 20:39:52 -0000 1.2
+++ checkresult.jsp 16 Feb 2003 23:14:00 -0000 1.3
@@ -22,7 +22,7 @@
%>
<li>
<%
- out.println (fruits[i]);
+ out.println (util.HTMLFilter.filter(fruits[i]));
}
} else out.println ("none selected");
%>
@@ -42,7 +42,7 @@
%>
<li>
<%
- out.println (fruits[i]);
+ out.println (util.HTMLFilter.filter(fruits[i]));
}
} else out.println ("none selected");
%>
1.3 +1 -1 jakarta-tomcat/src/examples/jsp/sessions/carts.jsp
Index: carts.jsp
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/examples/jsp/sessions/carts.jsp,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- carts.jsp 20 Oct 1999 23:20:11 -0000 1.2
+++ carts.jsp 16 Feb 2003 23:14:00 -0000 1.3
@@ -19,7 +19,7 @@
String[] items = cart.getItems();
for (int i=0; i<items.length; i++) {
%>
-<li> <%= items[i] %>
+<li> <% out.print(util.HTMLFilter.filter(items[i])); %>
<%
}
%>
1.5 +3 -3 jakarta-tomcat/src/examples/jsp/snp/snoop.jsp
Index: snoop.jsp
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/examples/jsp/snp/snoop.jsp,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- snoop.jsp 10 Jun 2000 14:33:32 -0000 1.4
+++ snoop.jsp 16 Feb 2003 23:14:01 -0000 1.5
@@ -15,11 +15,11 @@
<br>
Servlet path: <%= request.getServletPath() %>
<br>
-Path info: <%= request.getPathInfo() %>
+Path info: <% out.print(util.HTMLFilter.filter(request.getPathInfo())); %>
<br>
Path translated: <%= request.getPathTranslated() %>
<br>
-Query string: <%= request.getQueryString() %>
+Query string: <% out.print(util.HTMLFilter.filter(request.getQueryString())); %>
<br>
Content length: <%= request.getContentLength() %>
<br>
@@ -39,7 +39,7 @@
<br>
Locale: <%= request.getLocale() %>
<hr>
-The browser you are using is <%= request.getHeader("User-Agent") %>
+The browser you are using is <%
out.print(util.HTMLFilter.filter(request.getHeader("User-Agent"))); %>
<hr>
</font>
</body>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
