Author: markt Date: Tue Jun 24 14:27:37 2008 New Revision: 671351 URL: http://svn.apache.org/viewvc?rev=671351&view=rev Log: Provide belt and braces XSS protection. Really an app responsibility but worth protecting against in case the app forgets.
Modified: tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=671351&r1=671350&r2=671351&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Tue Jun 24 14:27:37 2008 @@ -41,12 +41,6 @@ +1: markt, remm -1: -* Provide belt and braces XSS protection. Really an app responsbility but worth - protecting against in case the app forgets. - http://svn.apache.org/viewvc?rev=664483&view=rev - +1: markt, fhanik, remm - -1: - * Make fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=43285 optional Coercion of null and "" to zero can now be disabled if required Patch by Nils Eckert Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java?rev=671351&r1=671350&r2=671351&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/security/SecurityUtil.java Tue Jun 24 14:27:37 2008 @@ -40,5 +40,42 @@ return false; } - + + /** + * Filter the specified message string for characters that are sensitive + * in HTML. This avoids potential attacks caused by including JavaScript + * codes in the request URL that is often reported in error messages. + * + * @param message The message string to be filtered + */ + public static String filter(String message) { + + if (message == null) + return (null); + + char content[] = new char[message.length()]; + message.getChars(0, message.length(), content, 0); + StringBuffer result = new StringBuffer(content.length + 50); + for (int i = 0; i < content.length; i++) { + switch (content[i]) { + case '<': + result.append("<"); + break; + case '>': + result.append(">"); + break; + case '&': + result.append("&"); + break; + case '"': + result.append("""); + break; + default: + result.append(content[i]); + } + } + return (result.toString()); + + } + } Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java?rev=671351&r1=671350&r2=671351&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/servlet/JspServlet.java Tue Jun 24 14:27:37 2008 @@ -35,6 +35,7 @@ import org.apache.jasper.Options; import org.apache.jasper.compiler.JspRuntimeContext; import org.apache.jasper.compiler.Localizer; +import org.apache.jasper.security.SecurityUtil; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; @@ -311,8 +312,12 @@ if (includeRequestUri != null) { // This file was included. Throw an exception as // a response.sendError() will be ignored - throw new ServletException(Localizer.getMessage( - "jsp.error.file.not.found",jspUri)); + String msg = Localizer.getMessage( + "jsp.error.file.not.found",jspUri); + // Strictly, filtering this is an application + // responsibility but just in case... + throw new ServletException( + SecurityUtil.filter(msg)); } else { try { response.sendError( Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=671351&r1=671350&r2=671351&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Tue Jun 24 14:27:37 2008 @@ -303,6 +303,12 @@ <bug>44994</bug>: Enable nested conditional expressions in JSP EL. Patch provided by James Manger. (markt) </fix> + <add> + Add HTML filtering of error messages for included resources in case the + app has tried to include an unsafe URL that does not exist. This is + really an app responsibility but the filtering has been added for XSS + safety. (markt) + </add> </changelog> </subsection> <subsection name="Webapps"> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]