craigmcc 01/03/17 12:52:50
Modified: src/share/org/apache/tomcat/context Tag: tomcat_32
DefaultCMSetter.java
src/share/org/apache/tomcat/util Tag: tomcat_32
RequestUtil.java
Log:
For Tomcat 3.2, fix the security vulnerability reported by Hiromitsu
Takagi. As with Tomcat 4.0, the problem is not related to JSP
specifically. It was caused by the fact that the original request URI was
included in the standard error page produced by Tomcat for errors like 404
(not found), which was the illustration in this case.
WARNING: Web apps that echo the request URI in their responses (either in
a standard response or in an error page) can be subject to this same kind
of vulnerability.
Revision Changes Path
No revision
No revision
1.45.2.10 +9 -8
jakarta-tomcat/src/share/org/apache/tomcat/context/Attic/DefaultCMSetter.java
Index: DefaultCMSetter.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/context/Attic/DefaultCMSetter.java,v
retrieving revision 1.45.2.9
retrieving revision 1.45.2.10
diff -u -r1.45.2.9 -r1.45.2.10
--- DefaultCMSetter.java 2001/03/17 00:26:39 1.45.2.9
+++ DefaultCMSetter.java 2001/03/17 20:52:49 1.45.2.10
@@ -173,7 +173,7 @@
.append("</h1>\r\n<b>");
buf.append(sm.getString("defaulterrorpage.originalrequest"))
.append("</b> ")
- .append( requestURI );
+ .append( RequestUtil.filter(requestURI) );
if (contextM.getShowDebugInfo()) {
if (res.isIncluded()) {
@@ -184,7 +184,7 @@
buf.append("<br><br>\r\n<b>")
.append(sm.getString("defaulterrorpage.notfoundrequest"))
.append("</b> ")
- .append( requestURI );
+ .append( RequestUtil.filter(requestURI) );
}
}
@@ -253,14 +253,14 @@
buf.append("<h2>")
.append(sm.getString("defaulterrorpage.location"))
.append(" ")
- .append(req.getRequestURI())
+ .append(RequestUtil.filter(req.getRequestURI()))
.append("</h2>");
if ( errorURI != null && contextM.getShowDebugInfo()) {
buf.append("\r\n<h2>")
.append(sm.getString("defaulterrorpage.errorlocation"))
.append(" ")
- .append(errorURI)
+ .append(RequestUtil.filter(errorURI))
.append("</h2>");
}
@@ -377,19 +377,19 @@
buf.append("<h2>")
.append(sm.getString("defaulterrorpage.location"))
.append(" ")
- .append(req.getRequestURI())
+ .append(RequestUtil.filter(req.getRequestURI()))
.append("</h2>");
if ( sc >= 400 && errorURI != null && contextM.getShowDebugInfo()) {
buf.append("\r\n<h2>")
.append(sm.getString("defaulterrorpage.errorlocation"))
.append(" ")
- .append(errorURI)
+ .append(RequestUtil.filter(errorURI))
.append("</h2>");
}
buf.append("<b>")
- .append(msg)
+ .append(RequestUtil.filter(msg))
.append("</b><br>");
// add unavailable time if present
@@ -419,6 +419,7 @@
out.print(buf.toString());
}
}
+
}
class RedirectHandler extends ServletWrapper {
@@ -459,7 +460,7 @@
append("</h1>\r\n").
append(sm.getString("defaulterrorpage.thisdocumenthasmoved")).
append(" <a href=\"").
- append(location).
+ append(RequestUtil.filter(location)).
append("\">here</a>.<p>\r\n</body>\r\n");
String body = buf.toString();
No revision
No revision
1.14.2.3 +38 -0
jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/RequestUtil.java
Index: RequestUtil.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/RequestUtil.java,v
retrieving revision 1.14.2.2
retrieving revision 1.14.2.3
diff -u -r1.14.2.2 -r1.14.2.3
--- RequestUtil.java 2001/03/13 18:18:26 1.14.2.2
+++ RequestUtil.java 2001/03/17 20:52:50 1.14.2.3
@@ -502,6 +502,44 @@
}
+ /**
+ * Filter the specified message string for characters that are sensitive
+ * in HTML. This avoids potential attacks caused by including JavaScript
+ * codes in the request URL that is often reported in error messages.
+ *
+ * @param message The message string to be filtered
+ */
+ public static String filter(String message) {
+
+ if (message == null)
+ return (null);
+
+ char content[] = new char[message.length()];
+ message.getChars(0, message.length(), content, 0);
+ StringBuffer result = new StringBuffer(content.length + 50);
+ for (int i = 0; i < content.length; i++) {
+ switch (content[i]) {
+ case '<':
+ result.append("<");
+ break;
+ case '>':
+ result.append(">");
+ break;
+ case '&':
+ result.append("&");
+ break;
+ case '"':
+ result.append(""");
+ break;
+ default:
+ result.append(content[i]);
+ }
+ }
+ return (result.toString());
+
+ }
+
+
/* -------------------- From HttpDate -------------------- */
// Parse date - XXX This code is _very_ slow ( 3 parsers, GregorianCalendar,