I'm not sure where the problem was coming from, last time I used jetspeed I couldn't make sense of the hidden form in the pages, but my guess is that the solution should not come from filtering negatively output to this form.
A common norm about html sanitization is that it should be done positively, i.e., allowing explicitly whatever is needed, and never negatively, because it is far easier to leave a hole that will be used for a new attack. Anybody can explain what is this hidden form, where the attack is performed, for? what output is expected there?... Regards Santiago El vie, 02-03-2007 a las 22:06 +0000, [EMAIL PROTECTED] escribió: > Author: ate > Date: Fri Mar 2 14:06:45 2007 > New Revision: 513987 > > URL: http://svn.apache.org/viewvc?view=rev&rev=513987 > Log: > Simple fix for blocking issue JS2-626: Cross-Site Scripting (XSS) > vulnerability. > The reported vulnerability is now resolved: in case of such an attack, HTTP > Status 400 (SC_BAD_REQUEST) will be returned. > > Added: > > portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java > (with props) > Modified: > portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml > > Added: > portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java > URL: > http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java?view=auto&rev=513987 > ============================================================================== > --- > portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java > (added) > +++ > portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java > Fri Mar 2 14:06:45 2007 > @@ -0,0 +1,63 @@ > +/* > + * Copyright 2007 The Apache Software Foundation. > + * > + * Licensed under the Apache License, Version 2.0 (the "License"); > + * you may not use this file except in compliance with the License. > + * You may obtain a copy of the License at > + * > + * http://www.apache.org/licenses/LICENSE-2.0 > + * > + * Unless required by applicable law or agreed to in writing, software > + * distributed under the License is distributed on an "AS IS" > + * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or > implied. > + * See the License for the specific language governing permissions and > + * limitations under the License. > + */ > +package org.apache.jetspeed.engine.servlet; > + > +import java.io.IOException; > + > +import javax.servlet.Filter; > +import javax.servlet.FilterChain; > +import javax.servlet.FilterConfig; > +import javax.servlet.ServletException; > +import javax.servlet.ServletRequest; > +import javax.servlet.ServletResponse; > +import javax.servlet.http.HttpServletRequest; > +import javax.servlet.http.HttpServletResponse; > + > +/** > + * Simple XXS Url attack protection blocking access whenever the request url > contains a < or > character. > + * @version $Id$ > + * > + */ > +public class XXSUrlAttackFilter implements Filter > +{ > + public void init(FilterConfig config) throws ServletException > + { > + } > + > + public void doFilter(ServletRequest request, ServletResponse response, > FilterChain chain) throws IOException, > + ServletException > + { > + if (request instanceof HttpServletRequest) > + { > + HttpServletRequest hreq = (HttpServletRequest) request; > + if (isInvalid(hreq.getQueryString()) || > isInvalid(hreq.getRequestURI())) > + { > + ((HttpServletResponse) > response).sendError(HttpServletResponse.SC_BAD_REQUEST); > + } > + } > + chain.doFilter(request, response); > + } > + > + private boolean isInvalid(String value) > + { > + return (value != null && (value.indexOf('<') != -1 || > value.indexOf('>') != -1 || value.indexOf("%3e") != -1 > + || value.indexOf("%3c") != -1 || value.indexOf("%3E") != -1 > || value.indexOf("%3E") != -1)); > + } > + > + public void destroy() > + { > + } > +} > > Propchange: > portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java > ------------------------------------------------------------------------------ > svn:eol-style = native > > Propchange: > portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java > ------------------------------------------------------------------------------ > svn:keywords = Id > > Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml > URL: > http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml?view=diff&rev=513987&r1=513986&r2=513987 > ============================================================================== > --- portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml (original) > +++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml Fri Mar 2 14:06:45 > 2007 > @@ -32,6 +32,11 @@ > </context-param> > > <filter> > + <filter-name>XXSUrlAttackFilter</filter-name> > + > <filter-class>org.apache.jetspeed.engine.servlet.XXSUrlAttackFilter</filter-class> > + </filter> > + > + <filter> > <filter-name>staticResourceCachingFilter</filter-name> > > <filter-class>org.apache.jetspeed.engine.servlet.StaticResourceCachingFilter</filter-class> > <init-param> > @@ -41,9 +46,15 @@ > </filter> > > <filter-mapping> > + <filter-name>XXSUrlAttackFilter</filter-name> > + <url-pattern>/*</url-pattern> > + </filter-mapping> > + > + <filter-mapping> > <filter-name>staticResourceCachingFilter</filter-name> > <servlet-name>default</servlet-name> > - </filter-mapping> > + </filter-mapping> > + > <!-- > <filter> > <filter-name>PortalFilter</filter-name> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
