craigmcc 01/03/17 12:07:42
Modified: catalina/src/share/org/apache/catalina/core
StandardWrapperValve.java
Log:
For Tomcat 4.0, fix the security vulnerability reported by Hiromitsu
Takagi.
The problem actually has nothing to do with JSP pages per se -- it is due
to the fact that the original request URI is included in the response on
many of the standard error pages produced by Tomcat. In the case at hand,
it is the standard message for error 404 (not found).
You can prove that it is not related to JSP by trying *any* URI that
includes JavaScript code, and triggers a 404, such as:
http://localhost:8080/examples/<SCRIPT>alert(document.cookie)</SCRIPT>.xyz
The fix is to filter the message string included in the response, so that
characters sensitive to HTML are rendered as their corresponding escape
sequences (such as translating "<" to "<") so that the browser will
render them rather than execute them.
WARNING: Web application error pages that naively display the request URI
in their output can be subject to this same kind of problem.
Revision Changes Path
1.22 +43 -5
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java
Index: StandardWrapperValve.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- StandardWrapperValve.java 2001/03/17 00:56:57 1.21
+++ StandardWrapperValve.java 2001/03/17 20:07:41 1.22
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java,v
1.21 2001/03/17 00:56:57 craigmcc Exp $
- * $Revision: 1.21 $
- * $Date: 2001/03/17 00:56:57 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java,v
1.22 2001/03/17 20:07:41 craigmcc Exp $
+ * $Revision: 1.22 $
+ * $Date: 2001/03/17 20:07:41 $
*
* ====================================================================
*
@@ -102,7 +102,7 @@
* <code>StandardWrapper</code> container implementation.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.21 $ $Date: 2001/03/17 00:56:57 $
+ * @version $Revision: 1.22 $ $Date: 2001/03/17 20:07:41 $
*/
final class StandardWrapperValve
@@ -622,6 +622,44 @@
/**
+ * Filter the specified message string for characters that are sensitive
+ * in HTML. This avoids potential attacks caused by including JavaScript
+ * codes in the request URL that is often reported in error messages.
+ *
+ * @param message The message string to be filtered
+ */
+ private String filter(String message) {
+
+ if (message == null)
+ return (null);
+
+ char content[] = new char[message.length()];
+ message.getChars(0, message.length(), content, 0);
+ StringBuffer result = new StringBuffer(content.length + 50);
+ for (int i = 0; i < content.length; i++) {
+ switch (content[i]) {
+ case '<':
+ result.append("<");
+ break;
+ case '>':
+ result.append(">");
+ break;
+ case '&':
+ result.append("&");
+ break;
+ case '"':
+ result.append(""");
+ break;
+ default:
+ result.append(content[i]);
+ }
+ }
+ return (result.toString());
+
+ }
+
+
+ /**
* Log a message on the Logger associated with our Container (if any)
*
* @param message Message to be logged
@@ -773,7 +811,7 @@
HttpServletResponse hres =
(HttpServletResponse) response.getResponse();
int statusCode = hresponse.getStatus();
- String message = hresponse.getMessage();
+ String message = filter(hresponse.getMessage());
if (message == null)
message = "";
