svn commit: r757557 - in /tomcat/trunk: java/org/apache/catalina/filters/ java/org/apache/catalina/valves/ webapps/docs/config/

Mon, 23 Mar 2009 14:40:13 -0700 

Author: markt
Date: Mon Mar 23 21:39:48 2009
New Revision: 757557

URL: http://svn.apache.org/viewvc?rev=757557&view=rev
Log:
Use a filter rather than a valve to add a default character set.

Added:
    tomcat/trunk/java/org/apache/catalina/filters/
    tomcat/trunk/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java  
 (with props)
    tomcat/trunk/webapps/docs/config/filters.xml   (with props)
Removed:
    tomcat/trunk/java/org/apache/catalina/valves/AddDefaultCharsetValve.java
Modified:
    tomcat/trunk/webapps/docs/config/project.xml

Added: 
tomcat/trunk/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java?rev=757557&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java 
(added)
+++ tomcat/trunk/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java 
Mon Mar 23 21:39:48 2009
@@ -0,0 +1,94 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.filters;
+
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+
+/**
+ * Filter that explicitly sets the default character set for media subtypes of
+ * the "text" type to ISO-8859-1. RFC2616 explicitly states that browsers must
+ * use ISO-8859-1 in these circumstances. However, browsers may attempt to
+ * auto-detect the character set. This may be exploited by an attacker to
+ * perform an XSS attack. Internet Explorer has this behaviour by default. 
Other
+ * browsers have an option to enable it.
+ * 
+ * This filter prevents the attack by explicitly setting a character set. 
Unless
+ * the provided character set is explicitly overridden by the user - in which
+ * case they deserve everything they get - the browser will adhere to an
+ * explicitly set character set, thus preventing the XSS attack.
+ */
+public class AddDefaultCharsetFilter implements Filter {
+
+    public void destroy() {
+        // NOOP
+    }
+
+    public void doFilter(ServletRequest request, ServletResponse response,
+            FilterChain chain) throws IOException, ServletException {
+        
+        // Wrap the response
+        if (response instanceof HttpServletResponse) {
+            ResponseWrapper wrapped =
+                new ResponseWrapper((HttpServletResponse)response);
+            chain.doFilter(request, wrapped);
+        } else {
+            chain.doFilter(request, response);
+        }
+    }
+
+    public void init(FilterConfig filterConfig) throws ServletException {
+        // NOOP
+    }
+
+    /**
+     * Wrapper that adds the default character set for text media types if no
+     * character set is specified.
+     */
+    public class ResponseWrapper extends HttpServletResponseWrapper {
+
+        @Override
+        public void setContentType(String ct) {
+            
+            if (ct != null && ct.startsWith("text/") &&
+                    ct.indexOf("charset=") < 0) {
+                // Use getCharacterEncoding() in case the charset has already
+                // been set by a separate call.
+                super.setContentType(ct + ";charset=" + 
getCharacterEncoding());
+            } else {
+                super.setContentType(ct);
+            }
+
+        }
+
+        public ResponseWrapper(HttpServletResponse response) {
+            super(response);
+        }
+        
+    }
+}

Propchange: 
tomcat/trunk/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: tomcat/trunk/webapps/docs/config/filters.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filters.xml?rev=757557&view=auto
==============================================================================
--- tomcat/trunk/webapps/docs/config/filters.xml (added)
+++ tomcat/trunk/webapps/docs/config/filters.xml Mon Mar 23 21:39:48 2009
@@ -0,0 +1,90 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!DOCTYPE document [
+  <!ENTITY project SYSTEM "project.xml">
+]>
+<document url="filter.html">
+
+  &project;
+
+  <properties>
+    <title>Container Provided Filters</title>
+  </properties>
+
+<body>
+
+
+<section name="Introduction">
+
+  <p>Tomcat provides a number of <strong>Filters</strong> which may be
+  configured for use with all web applications using
+  <code>$CATALINA_BASE/conf/web.xml</code> or may be configured for individual
+  web applications by configuring them in the application's
+  <code>WEB-INF/web.xml</code>. Each filter is described below.</p>
+
+    <blockquote><em>
+    <p>This description uses the variable name $CATALINA_BASE to refer the
+    base directory against which most relative paths are resolved. If you have
+    not configured Tomcat for multiple instances by setting a CATALINA_BASE
+    directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME,
+    the directory into which you have installed Tomcat.</p>
+    </em></blockquote>
+
+</section>
+
+
+<section name="Add Default Character Set Filter">
+
+  <subsection name="Introduction">
+
+    <p>The HTTP specification is clear that if no character set is specified 
for
+    media sub-types of the "text" media type, the ISO-8859-1 character set must
+    be used. However, browsers may attempt to auto-detect the character set.
+    This may be exploited by an attacker to perform an XSS attack. Internet
+    Explorer has this behaviour by default. Other browsers have an option to
+    enable it.</p>
+    
+    <p>This filter prevents the attack by explicitly setting a character set.
+    Unless the provided character set is explicitly overridden by the user the
+    browser will adhere to the explicitly set character set, thus preventing 
the
+    XSS attack.</p>
+    
+  </subsection>
+
+  <subsection name="Filter Class Name">
+
+    <p>The filter class name for the Add Default Character Set Filter is
+    <strong><code>org.apache.catalina.filters.AddDefaultCharsetFilter</code>
+    </strong>.</p>
+
+  </subsection>
+
+  <subsection name="Initialisation parameters">
+
+    <p>The Add Default Character Set Filter does not support any initialisation
+    parameters</p>
+
+  </subsection>
+
+</section>
+
+
+</body>
+
+
+</document>

Propchange: tomcat/trunk/webapps/docs/config/filters.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: tomcat/trunk/webapps/docs/config/filters.xml
------------------------------------------------------------------------------
    svn:keywords = Date Revision Author Id

Modified: tomcat/trunk/webapps/docs/config/project.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/project.xml?rev=757557&r1=757556&r2=757557&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/project.xml (original)
+++ tomcat/trunk/webapps/docs/config/project.xml Mon Mar 23 21:39:48 2009
@@ -61,6 +61,7 @@
         <item name="Realm"                 href="realm.html"/>
         <item name="Resources"             href="resources.html"/>
         <item name="Valve"                 href="valve.html"/>
+        <item name="Filters"               href="filters.html"/>
     </menu>
 
     <menu name="Cluster Elements">



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to