Author: markt
Date: Wed Jun 13 19:12:04 2007
New Revision: 547082
URL: http://svn.apache.org/viewvc?view=rev&rev=547082
Log:
Port fix for XSS issue in Manager and Host Manager. This is CVE-2007-2450.
Modified:
tomcat/container/tc5.5.x/webapps/host-manager/WEB-INF/classes/org/apache/catalina/hostmanager/HTMLHostManagerServlet.java
tomcat/container/tc5.5.x/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLManagerServlet.java
Modified:
tomcat/container/tc5.5.x/webapps/host-manager/WEB-INF/classes/org/apache/catalina/hostmanager/HTMLHostManagerServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/host-manager/WEB-INF/classes/org/apache/catalina/hostmanager/HTMLHostManagerServlet.java?view=diff&rev=547082&r1=547081&r2=547082
==============================================================================
---
tomcat/container/tc5.5.x/webapps/host-manager/WEB-INF/classes/org/apache/catalina/hostmanager/HTMLHostManagerServlet.java
(original)
+++
tomcat/container/tc5.5.x/webapps/host-manager/WEB-INF/classes/org/apache/catalina/hostmanager/HTMLHostManagerServlet.java
Wed Jun 13 19:12:04 2007
@@ -32,6 +32,7 @@
import org.apache.catalina.Container;
import org.apache.catalina.Host;
+import org.apache.catalina.util.RequestUtil;
import org.apache.catalina.util.ServerInfo;
/**
@@ -195,7 +196,11 @@
// Message Section
args = new Object[3];
args[0] = sm.getString("htmlHostManagerServlet.messageLabel");
- args[1] = (message == null || message.length() == 0) ? "OK" : message;
+ if (message == null || message.length() == 0) {
+ args[1] = "OK";
+ } else {
+ args[1] = RequestUtil.filter(message);
+ }
writer.print(MessageFormat.format(Constants.MESSAGE_SECTION, args));
// Manager Section
Modified:
tomcat/container/tc5.5.x/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLManagerServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLManagerServlet.java?view=diff&rev=547082&r1=547081&r2=547082
==============================================================================
---
tomcat/container/tc5.5.x/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLManagerServlet.java
(original)
+++
tomcat/container/tc5.5.x/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLManagerServlet.java
Wed Jun 13 19:12:04 2007
@@ -107,8 +107,7 @@
message = stop(path);
} else {
message =
- sm.getString("managerServlet.unknownCommand",
- RequestUtil.filter(command));
+ sm.getString("managerServlet.unknownCommand", command);
}
list(request, response, message);
@@ -282,7 +281,11 @@
// Message Section
args = new Object[3];
args[0] = sm.getString("htmlManagerServlet.messageLabel");
- args[1] = (message == null || message.length() == 0) ? "OK" : message;
+ if (message == null || message.length() == 0) {
+ args[1] = "OK";
+ } else {
+ args[1] = RequestUtil.filter(message);
+ }
writer.print(MessageFormat.format(Constants.MESSAGE_SECTION, args));
// Manager Section
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
