Author: etnu
Date: Fri Apr 10 22:26:28 2009
New Revision: 764087
URL: http://svn.apache.org/viewvc?rev=764087&view=rev
Log:
Fixed a xss hole in gadget rendering servlet that could be triggered by
formatted error messages. The primary risk with the exploit was in compromising
locked domain protection.
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServlet.java
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServletTest.java
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServlet.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServlet.java?rev=764087&r1=764086&r2=764087&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServlet.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServlet.java
Fri Apr 10 22:26:28 2009
@@ -25,6 +25,8 @@
import com.google.inject.Inject;
+import org.apache.commons.lang.StringEscapeUtils;
+
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
@@ -76,7 +78,7 @@
resp.getWriter().print(results.getContent());
break;
case ERROR:
- resp.getWriter().print(results.getErrorMessage());
+
resp.getWriter().print(StringEscapeUtils.escapeHtml(results.getErrorMessage()));
break;
case MUST_REDIRECT:
resp.sendRedirect(results.getRedirect().toString());
Modified:
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServletTest.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServletTest.java?rev=764087&r1=764086&r2=764087&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServletTest.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/GadgetRenderingServletTest.java
Fri Apr 10 22:26:28 2009
@@ -87,6 +87,19 @@
}
@Test
+ public void errorsAreEscaped() throws Exception {
+ servlet.setRenderer(renderer);
+ expect(renderer.render(isA(GadgetContext.class)))
+
.andReturn(RenderingResults.error("busted<script>alert(document.domain)</script>"));
+ control.replay();
+
+ servlet.doGet(request, recorder);
+
+ assertEquals("busted<script>alert(document.domain)</script>",
+ recorder.getResponseAsString());
+ }
+
+ @Test
public void outputEncodingIsUtf8() throws Exception {
servlet.setRenderer(renderer);
expect(renderer.render(isA(GadgetContext.class)))
@@ -100,7 +113,7 @@
assertEquals("text/html", recorder.getContentType());
assertEquals(NON_ASCII_STRING, recorder.getResponseAsString());
}
-
+
@Test
public void refreshParameter_specified() throws Exception {
servlet.setRenderer(renderer);
@@ -111,7 +124,7 @@
servlet.doGet(request, recorder);
assertEquals("private,max-age=1000", recorder.getHeader("Cache-Control"));
}
-
+
@Test
public void refreshParameter_default() throws Exception {
servlet.setRenderer(renderer);
