markt 2005/01/05 03:54:37
Modified: catalina/src/share/org/apache/catalina/servlets
HTMLManagerServlet.java ManagerServlet.java
Log:
Fix trivial (since it is within the manager web app that should not be
publically accessible) XSS issue.
- Ported from TC5.
Revision Changes Path
1.19 +4 -2
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/HTMLManagerServlet.java
Index: HTMLManagerServlet.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/HTMLManagerServlet.java,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- HTMLManagerServlet.java 26 Aug 2004 21:38:13 -0000 1.18
+++ HTMLManagerServlet.java 5 Jan 2005 11:54:37 -0000 1.19
@@ -34,6 +34,7 @@
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Context;
import org.apache.catalina.Host;
+import org.apache.catalina.util.RequestUtil;
import org.apache.catalina.util.ServerInfo;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.fileupload.DiskFileUpload;
@@ -110,7 +111,8 @@
message = stop(path);
} else {
message =
- sm.getString("managerServlet.unknownCommand", command);
+ sm.getString("managerServlet.unknownCommand",
+ RequestUtil.filter(command));
}
list(request, response, message);
1.35 +26 -14
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/ManagerServlet.java
Index: ManagerServlet.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/ManagerServlet.java,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- ManagerServlet.java 26 Aug 2004 21:38:13 -0000 1.34
+++ ManagerServlet.java 5 Jan 2005 11:54:37 -0000 1.35
@@ -53,6 +53,7 @@
import org.apache.catalina.UserDatabase;
import org.apache.catalina.Wrapper;
import org.apache.catalina.core.StandardServer;
+import org.apache.catalina.util.RequestUtil;
import org.apache.catalina.util.ServerInfo;
import org.apache.catalina.util.StringManager;
import org.apache.naming.resources.ProxyDirContext;
@@ -455,7 +456,8 @@
// Validate the requested context path
if ((path == null) || path.length() == 0 || !path.startsWith("/")) {
- writer.println(sm.getString("managerServlet.invalidPath", path));
+ writer.println(sm.getString("managerServlet.invalidPath",
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -644,7 +646,7 @@
if (path == null || path.length() == 0 || !path.startsWith("/"))
{
writer.println(sm.getString("managerServlet.invalidPath",
- path));
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -724,7 +726,8 @@
log("restart: Reloading web application at '" + path + "'");
if ((path == null) || (!path.startsWith("/") && path.equals(""))) {
- writer.println(sm.getString("managerServlet.invalidPath", path));
+ writer.println(sm.getString("managerServlet.invalidPath",
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -773,7 +776,8 @@
log("remove: Removing web application at '" + path + "'");
if ((path == null) || (!path.startsWith("/") && path.equals(""))) {
- writer.println(sm.getString("managerServlet.invalidPath", path));
+ writer.println(sm.getString("managerServlet.invalidPath",
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -783,7 +787,8 @@
try {
Context context = deployer.findDeployedApp(path);
if (context == null) {
- writer.println(sm.getString("managerServlet.noContext",
displayPath));
+ writer.println(sm.getString("managerServlet.noContext",
+
RequestUtil.filter(displayPath)));
return;
}
// It isn't possible for the manager to remove itself
@@ -977,7 +982,8 @@
log("sessions: Session information for web application at '" +
path + "'");
if ((path == null) || (!path.startsWith("/") && path.equals(""))) {
- writer.println(sm.getString("managerServlet.invalidPath", path));
+ writer.println(sm.getString("managerServlet.invalidPath",
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -986,7 +992,8 @@
try {
Context context = deployer.findDeployedApp(path);
if (context == null) {
- writer.println(sm.getString("managerServlet.noContext",
displayPath));
+ writer.println(sm.getString("managerServlet.noContext",
+
RequestUtil.filter(displayPath)));
return;
}
writer.println(sm.getString("managerServlet.sessions",
displayPath));
@@ -1040,7 +1047,8 @@
log("start: Starting web application at '" + path + "'");
if ((path == null) || (!path.startsWith("/") && path.equals(""))) {
- writer.println(sm.getString("managerServlet.invalidPath", path));
+ writer.println(sm.getString("managerServlet.invalidPath",
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -1050,7 +1058,8 @@
try {
Context context = deployer.findDeployedApp(path);
if (context == null) {
- writer.println(sm.getString("managerServlet.noContext",
displayPath));
+ writer.println(sm.getString("managerServlet.noContext",
+
RequestUtil.filter(displayPath)));
return;
}
deployer.start(path);
@@ -1084,7 +1093,8 @@
log("stop: Stopping web application at '" + path + "'");
if ((path == null) || (!path.startsWith("/") && path.equals(""))) {
- writer.println(sm.getString("managerServlet.invalidPath", path));
+ writer.println(sm.getString("managerServlet.invalidPath",
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -1094,7 +1104,8 @@
try {
Context context = deployer.findDeployedApp(path);
if (context == null) {
- writer.println(sm.getString("managerServlet.noContext",
displayPath));
+ writer.println(sm.getString("managerServlet.noContext",
+
RequestUtil.filter(displayPath)));
return;
}
// It isn't possible for the manager to stop itself
@@ -1125,7 +1136,8 @@
log("undeploy: Undeploying web application at '" + path + "'");
if ((path == null) || (!path.startsWith("/") && path.equals(""))) {
- writer.println(sm.getString("managerServlet.invalidPath", path));
+ writer.println(sm.getString("managerServlet.invalidPath",
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -1138,7 +1150,7 @@
Context context = deployer.findDeployedApp(path);
if (context == null) {
writer.println(sm.getString("managerServlet.noContext",
- displayPath));
+
RequestUtil.filter(displayPath)));
return;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
