portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tay...@apache.org
Subject svn commit: r1880230 - in /portals/jetspeed-2/portal/trunk: components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
Date Fri, 24 Jul 2020 01:20:24 GMT
Author: taylor
Date: Fri Jul 24 01:20:24 2020
New Revision: 1880230

URL: http://svn.apache.org/viewvc?rev=1880230&view=rev
Log:
strengthening XXS filters

Modified:
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
    portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties

Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java?rev=1880230&r1=1880229&r2=1880230&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
(original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
Fri Jul 24 01:20:24 2020
@@ -65,11 +65,11 @@ public class XXSUrlAttackFilter implemen
         {
             if (xssRequestEnabled) {
                 HttpServletRequest hreq = (HttpServletRequest) request;
-                if (isInvalid(hreq.getQueryString())) {
+                if (isInvalidQuery(hreq.getQueryString())) {
                     log.error("XSS attack query string found: " + hreq.getQueryString());
                     ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST);
                 }
-                if (isInvalid(hreq.getRequestURI())) {
+                if (isInvalidUri(hreq.getRequestURI())) {
                     log.error("XSS attack URI found: " + hreq.getRequestURI());
                     ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST);
                 }
@@ -83,7 +83,36 @@ public class XXSUrlAttackFilter implemen
         }
     }
 
-    private boolean isInvalid(String value)
+	private boolean isInvalidQuery(String value)
+	{
+		if (value == null) {
+			return false;
+		}
+
+		// watch for invalid characters
+		if (value.indexOf('<') != -1 || value.indexOf('>') != -1 || value.indexOf("%3C")
!= -1
+				|| value.indexOf("%3c") != -1 || value.indexOf("%3E") != -1 || value.indexOf("%3e") !=
-1
+				|| value.indexOf("//") != -1) {
+			return true;
+		}
+
+		// catch 'jspage=/responsive/my-account2.psml%22;alert(/xss/);%22'
+		String[] parts = value.split("&");
+		for (String part : parts) {
+			String queryValue = part.split("=")[1].replaceAll("%22", "\"");
+			if (queryValue.matches("^\"(.*)\"$")) {
+				// properly quoted query value
+			} else if (queryValue.indexOf('"') != -1) {
+				// something fishy
+				return true;
+			}
+		}
+
+		// looks valid to me
+		return false;
+	}
+
+    private boolean isInvalidUri(String value)
     {
         return (value != null && (value.indexOf('<') != -1 || value.indexOf('>')
!= -1 || value.indexOf("%3C") != -1
                 || value.indexOf("%3c") != -1 || value.indexOf("%3E") != -1 || value.indexOf("%3e")
!= -1));

Modified: portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties?rev=1880230&r1=1880229&r2=1880230&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
(original)
+++ portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
Fri Jul 24 01:20:24 2020
@@ -448,7 +448,7 @@ preferences.user.enable = true
 # since 2.3.0
 #-------------------------------------------------------------------------
 xss.filter.request = true
-xss.filter.post = false
+xss.filter.post = true
 xss.filter.regexes = <script>(.*?)</script>
 xss.filter.flags = 2
 xss.filter.regexes = </script>
@@ -465,6 +465,8 @@ xss.filter.regexes = eval\\((.*?)\\)
 xss.filter.flags = 2 | 8 | 32
 xss.filter.regexes = expression\\((.*?)\\)
 xss.filter.flags = 2 | 8 | 32
+xss.filter.regexes = http(s?)://127.0.0.1
+xss.filter.flags = 2 | 8 | 32
 
 #-------------------------------------------------------------------------
 # Auto Refresh



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message