portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a..@apache.org
Subject svn commit: r513987 - in /portals/jetspeed-2/trunk: components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java src/webapp/WEB-INF/web.xml
Date Fri, 02 Mar 2007 22:06:45 GMT
Author: ate
Date: Fri Mar  2 14:06:45 2007
New Revision: 513987

URL: http://svn.apache.org/viewvc?view=rev&rev=513987
Log:
Simple fix for blocking issue JS2-626: Cross-Site Scripting (XSS) vulnerability.
The reported vulnerability is now resolved: in case of such an attack, HTTP Status 400 (SC_BAD_REQUEST)
will be returned.

Added:
    portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
  (with props)
Modified:
    portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml

Added: portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java?view=auto&rev=513987
==============================================================================
--- portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
(added)
+++ portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
Fri Mar  2 14:06:45 2007
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2007 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the  "License"); 
+ * you may not use this file except in compliance with the License. 
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" 
+ * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
+ * See the License for the specific language governing permissions and 
+ * limitations under the License.
+ */
+package org.apache.jetspeed.engine.servlet;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Simple XXS Url attack protection blocking access whenever the request url contains a <
or > character.
+ * @version $Id$
+ * 
+ */
+public class XXSUrlAttackFilter implements Filter
+{
+    public void init(FilterConfig config) throws ServletException
+    {
+    }
+
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException,
+            ServletException
+    {
+        if (request instanceof HttpServletRequest)
+        {
+            HttpServletRequest hreq = (HttpServletRequest) request;
+            if (isInvalid(hreq.getQueryString()) || isInvalid(hreq.getRequestURI()))
+            {
+                ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST);
+            }
+        }
+        chain.doFilter(request, response);
+    }
+
+    private boolean isInvalid(String value)
+    {
+        return (value != null && (value.indexOf('<') != -1 || value.indexOf('>')
!= -1 || value.indexOf("%3e") != -1
+                || value.indexOf("%3c") != -1 || value.indexOf("%3E") != -1 || value.indexOf("%3E")
!= -1));
+    }
+
+    public void destroy()
+    {
+    }
+}

Propchange: portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
------------------------------------------------------------------------------
    svn:keywords = Id

Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml?view=diff&rev=513987&r1=513986&r2=513987
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml Fri Mar  2 14:06:45 2007
@@ -32,6 +32,11 @@
   </context-param>
       
   <filter>
+    <filter-name>XXSUrlAttackFilter</filter-name>
+    <filter-class>org.apache.jetspeed.engine.servlet.XXSUrlAttackFilter</filter-class>
+  </filter>
+  
+  <filter>
       <filter-name>staticResourceCachingFilter</filter-name>
       <filter-class>org.apache.jetspeed.engine.servlet.StaticResourceCachingFilter</filter-class>
       <init-param>
@@ -41,9 +46,15 @@
   </filter>
 
   <filter-mapping>
+    <filter-name>XXSUrlAttackFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>    
+  
+  <filter-mapping>
       <filter-name>staticResourceCachingFilter</filter-name>
       <servlet-name>default</servlet-name>
-  </filter-mapping>    
+  </filter-mapping>
+  
   <!--
   <filter>
     <filter-name>PortalFilter</filter-name>



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message