marcusschiesser opened a new pull request, #988:
URL: https://github.com/apache/tomcat/pull/988
## Summary
Escape the current directory label and parent label in `DefaultServlet` HTML
directory listings.
This fixes a stored XSS issue in shared-hosting or otherwise
untrusted-content deployments where directory listings are enabled and an
attacker can influence listed directory names.
## Attack scenario
1. An untrusted content publisher can create directories under a served path.
2. Directory listings are enabled for that shared content root.
3. The attacker creates a directory named `<img src=x
onerror=fetch('/manager/text/list',{credentials:'include'})>`.
4. An operator browses the listing page to inspect uploaded content.
5. Tomcat renders the directory name unescaped in the generated listing page.
6. The browser executes the injected JavaScript in the origin of that site.
## Changes
- escape the current directory label in the generated listing title and
heading
- escape the parent directory label in the generated listing breadcrumb
- add a regression test for malicious directory labels in
`TestDefaultServlet`
## Verification
- `ant test-compile test-only
-Dtest.entry=org.apache.catalina.servlets.TestDefaultServlet`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
