jetspeed.properties

taylor Thu, 23 Jul 2020 18:20:36 -0700

Author: taylor
Date: Fri Jul 24 01:20:24 2020
New Revision: 1880230

URL: http://svn.apache.org/viewvc?rev=1880230&view=rev
Log:
strengthening XXS filters


Modified:
    
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
    
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties

Modified: 
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
URL: 
http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java?rev=1880230&r1=1880229&r2=1880230&view=diff
==============================================================================
--- 
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
 (original)
+++ 
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
 Fri Jul 24 01:20:24 2020
@@ -65,11 +65,11 @@ public class XXSUrlAttackFilter implemen
         {
             if (xssRequestEnabled) {
                 HttpServletRequest hreq = (HttpServletRequest) request;
-                if (isInvalid(hreq.getQueryString())) {
+                if (isInvalidQuery(hreq.getQueryString())) {
                     log.error("XSS attack query string found: " + 
hreq.getQueryString());
                     ((HttpServletResponse) 
response).sendError(HttpServletResponse.SC_BAD_REQUEST);
                 }
-                if (isInvalid(hreq.getRequestURI())) {
+                if (isInvalidUri(hreq.getRequestURI())) {
                     log.error("XSS attack URI found: " + hreq.getRequestURI());
                     ((HttpServletResponse) 
response).sendError(HttpServletResponse.SC_BAD_REQUEST);
                 }
@@ -83,7 +83,36 @@ public class XXSUrlAttackFilter implemen
         }
     }
 
-    private boolean isInvalid(String value)
+       private boolean isInvalidQuery(String value)
+       {
+               if (value == null) {
+                       return false;
+               }
+
+               // watch for invalid characters
+               if (value.indexOf('<') != -1 || value.indexOf('>') != -1 || 
value.indexOf("%3C") != -1
+                               || value.indexOf("%3c") != -1 || 
value.indexOf("%3E") != -1 || value.indexOf("%3e") != -1
+                               || value.indexOf("//") != -1) {
+                       return true;
+               }
+
+               // catch 
'jspage=/responsive/my-account2.psml%22;alert(/xss/);%22'
+               String[] parts = value.split("&");
+               for (String part : parts) {
+                       String queryValue = 
part.split("=")[1].replaceAll("%22", "\"");
+                       if (queryValue.matches("^\"(.*)\"$")) {
+                               // properly quoted query value
+                       } else if (queryValue.indexOf('"') != -1) {
+                               // something fishy
+                               return true;
+                       }
+               }
+
+               // looks valid to me
+               return false;
+       }
+
+    private boolean isInvalidUri(String value)
     {
         return (value != null && (value.indexOf('<') != -1 || 
value.indexOf('>') != -1 || value.indexOf("%3C") != -1
                 || value.indexOf("%3c") != -1 || value.indexOf("%3E") != -1 || 
value.indexOf("%3e") != -1));

Modified: 
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
URL: 
http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties?rev=1880230&r1=1880229&r2=1880230&view=diff
==============================================================================
--- 
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
 (original)
+++ 
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
 Fri Jul 24 01:20:24 2020
@@ -448,7 +448,7 @@ preferences.user.enable = true
 # since 2.3.0
 #-------------------------------------------------------------------------
 xss.filter.request = true
-xss.filter.post = false
+xss.filter.post = true
 xss.filter.regexes = <script>(.*?)</script>
 xss.filter.flags = 2
 xss.filter.regexes = </script>
@@ -465,6 +465,8 @@ xss.filter.regexes = eval\\((.*?)\\)
 xss.filter.flags = 2 | 8 | 32
 xss.filter.regexes = expression\\((.*?)\\)
 xss.filter.flags = 2 | 8 | 32
+xss.filter.regexes = http(s?)://127.0.0.1
+xss.filter.flags = 2 | 8 | 32
 
 #-------------------------------------------------------------------------
 # Auto Refresh



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org
For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org

svn commit: r1880230 - in /portals/jetspeed-2/portal/trunk: components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties

Reply via email to