markt 2005/01/04 17:03:23
Modified: webapps/manager/WEB-INF/classes/org/apache/catalina/manager
HTMLManagerServlet.java ManagerServlet.java
Log:
Fix trivial (since it is within the manager web app that should not be
publically accessible) XSS issue.
Revision Changes Path
1.18 +4 -2
jakarta-tomcat-catalina/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLManagerServlet.java
Index: HTMLManagerServlet.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-catalina/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLManagerServlet.java,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- HTMLManagerServlet.java 14 Oct 2004 17:25:32 -0000 1.17
+++ HTMLManagerServlet.java 5 Jan 2005 01:03:22 -0000 1.18
@@ -32,6 +32,7 @@
import org.apache.catalina.Container;
import org.apache.catalina.Context;
+import org.apache.catalina.util.RequestUtil;
import org.apache.catalina.util.ServerInfo;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.fileupload.DiskFileUpload;
@@ -105,7 +106,8 @@
message = stop(path);
} else {
message =
- sm.getString("managerServlet.unknownCommand", command);
+ sm.getString("managerServlet.unknownCommand",
+ RequestUtil.filter(command));
}
list(request, response, message);
1.27 +20 -12
jakarta-tomcat-catalina/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/ManagerServlet.java
Index: ManagerServlet.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-catalina/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/ManagerServlet.java,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- ManagerServlet.java 3 Jan 2005 16:09:26 -0000 1.26
+++ ManagerServlet.java 5 Jan 2005 01:03:22 -0000 1.27
@@ -52,6 +52,7 @@
import org.apache.catalina.UserDatabase;
import org.apache.catalina.Wrapper;
import org.apache.catalina.core.StandardServer;
+import org.apache.catalina.util.RequestUtil;
import org.apache.catalina.util.ServerInfo;
import org.apache.catalina.util.StringManager;
import org.apache.commons.modeler.Registry;
@@ -762,7 +763,7 @@
if (path == null || path.length() == 0 || !path.startsWith("/")) {
writer.println(sm.getString("managerServlet.invalidPath",
- path));
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -881,7 +882,8 @@
log("restart: Reloading web application at '" + path + "'");
if ((path == null) || (!path.startsWith("/") && path.equals(""))) {
- writer.println(sm.getString("managerServlet.invalidPath", path));
+ writer.println(sm.getString("managerServlet.invalidPath",
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -892,7 +894,8 @@
Context context = (Context) host.findChild(path);
if (context == null) {
writer.println(sm.getString
- ("managerServlet.noContext", displayPath));
+ ("managerServlet.noContext",
+ RequestUtil.filter(displayPath)));
return;
}
// It isn't possible for the manager to reload itself
@@ -1088,7 +1091,8 @@
log("sessions: Session information for web application at '" +
path + "'");
if ((path == null) || (!path.startsWith("/") && path.equals(""))) {
- writer.println(sm.getString("managerServlet.invalidPath", path));
+ writer.println(sm.getString("managerServlet.invalidPath",
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -1097,7 +1101,8 @@
try {
Context context = (Context) host.findChild(path);
if (context == null) {
- writer.println(sm.getString("managerServlet.noContext",
displayPath));
+ writer.println(sm.getString("managerServlet.noContext",
+
RequestUtil.filter(displayPath)));
return;
}
writer.println(sm.getString("managerServlet.sessions",
displayPath));
@@ -1152,7 +1157,8 @@
log("start: Starting web application at '" + path + "'");
if ((path == null) || (!path.startsWith("/") && path.equals(""))) {
- writer.println(sm.getString("managerServlet.invalidPath", path));
+ writer.println(sm.getString("managerServlet.invalidPath",
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -1163,7 +1169,7 @@
Context context = (Context) host.findChild(path);
if (context == null) {
writer.println(sm.getString("managerServlet.noContext",
- displayPath));
+
RequestUtil.filter(displayPath)));
return;
}
((Lifecycle) context).start();
@@ -1197,7 +1203,8 @@
log("stop: Stopping web application at '" + path + "'");
if ((path == null) || (!path.startsWith("/") && path.equals(""))) {
- writer.println(sm.getString("managerServlet.invalidPath", path));
+ writer.println(sm.getString("managerServlet.invalidPath",
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -1208,7 +1215,7 @@
Context context = (Context) host.findChild(path);
if (context == null) {
writer.println(sm.getString("managerServlet.noContext",
- displayPath));
+
RequestUtil.filter(displayPath)));
return;
}
// It isn't possible for the manager to stop itself
@@ -1239,7 +1246,8 @@
log("undeploy: Undeploying web application at '" + path + "'");
if ((path == null) || (!path.startsWith("/") && path.equals(""))) {
- writer.println(sm.getString("managerServlet.invalidPath", path));
+ writer.println(sm.getString("managerServlet.invalidPath",
+ RequestUtil.filter(path)));
return;
}
String displayPath = path;
@@ -1252,7 +1260,7 @@
Context context = (Context) host.findChild(path);
if (context == null) {
writer.println(sm.getString("managerServlet.noContext",
- displayPath));
+
RequestUtil.filter(displayPath)));
return;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
