JBossWeb SVN: r734 - in branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache: coyote and 2 other directories. - jbossweb-commits

Monday, 4 August 2008


Author: remy.maucherat(a)jboss.com
Date: 2008-08-04 07:37:52 -0400 (Mon, 04 Aug 2008)
New Revision: 734

Modified:
  
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/core/StandardContextValve.java
   branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/Constants.java
  
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/ajp/AjpAprProcessor.java
  
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/ajp/AjpProcessor.java
  
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/InternalAprOutputBuffer.java
  
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/InternalNioOutputBuffer.java
  
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/InternalOutputBuffer.java
Log:
- CVE-2008-1232: XSS in error messages.

Modified:
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/core/StandardContextValve.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/core/StandardContextValve.java	2008-08-04
11:15:14 UTC (rev 733)
+++
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/core/StandardContextValve.java	2008-08-04
11:37:52 UTC (rev 734)
@@ -120,8 +120,7 @@
             || (requestPathMB.equalsIgnoreCase("/META-INF"))
             || (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0))
             || (requestPathMB.equalsIgnoreCase("/WEB-INF"))) {
-            String requestURI = request.getDecodedRequestURI();
-            notFound(requestURI, response);
+            notFound(response);
             return;
         }
 
@@ -137,8 +136,7 @@
         // Select the Wrapper to be used for this Request
         Wrapper wrapper = request.getWrapper();
         if (wrapper == null) {
-            String requestURI = request.getDecodedRequestURI();
-            notFound(requestURI, response);
+            notFound(response);
             return;
         }
 
@@ -289,10 +287,10 @@
      * @param requestURI The request URI for the requested resource
      * @param response The response we are creating
      */
-    private void notFound(String requestURI, HttpServletResponse response) {
+    private void notFound(HttpServletResponse response) {
 
         try {
-            response.sendError(HttpServletResponse.SC_NOT_FOUND, requestURI);
+            response.sendError(HttpServletResponse.SC_NOT_FOUND);
         } catch (IllegalStateException e) {
             ;
         } catch (IOException e) {

Modified:
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/Constants.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/Constants.java	2008-08-04
11:15:14 UTC (rev 733)
+++
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/Constants.java	2008-08-04
11:37:52 UTC (rev 734)
@@ -60,5 +60,13 @@
         (System.getSecurityManager() != null);
 
 
+    /**
+     * If true, custom HTTP status messages will be used in headers.
+     */
+    public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER =
+        Boolean.valueOf(System.getProperty(
+                "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER",
+        "false")).booleanValue();
 
+
 }

Modified:
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/ajp/AjpAprProcessor.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/ajp/AjpAprProcessor.java	2008-08-04
11:15:14 UTC (rev 733)
+++
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/ajp/AjpAprProcessor.java	2008-08-04
11:37:52 UTC (rev 734)
@@ -915,7 +915,10 @@
 
         // HTTP header contents
         responseHeaderMessage.appendInt(response.getStatus());
-        String message = response.getMessage();
+        String message = null;
+        if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+            message = response.getMessage();
+        }
         if (message == null){
             message = HttpMessages.getMessage(response.getStatus());
         } else {

Modified:
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/ajp/AjpProcessor.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/ajp/AjpProcessor.java	2008-08-04
11:15:14 UTC (rev 733)
+++
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/ajp/AjpProcessor.java	2008-08-04
11:37:52 UTC (rev 734)
@@ -921,7 +921,10 @@
 
         // HTTP header contents
         responseHeaderMessage.appendInt(response.getStatus());
-        String message = response.getMessage();
+        String message = null;
+        if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+            message = response.getMessage();
+        }
         if (message == null){
             message = HttpMessages.getMessage(response.getStatus());
         } else {

Modified:
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/InternalAprOutputBuffer.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/InternalAprOutputBuffer.java	2008-08-04
11:15:14 UTC (rev 733)
+++
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/InternalAprOutputBuffer.java	2008-08-04
11:37:52 UTC (rev 734)
@@ -421,11 +421,14 @@
         buf[pos++] = Constants.SP;
 
         // Write message
-        String message = response.getMessage();
+        String message = null;
+        if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+            message = response.getMessage();
+        }
         if (message == null) {
             write(HttpMessages.getMessage(status));
         } else {
-            write(message);
+            write(message.replace('\n', ' ').replace('\r', '
'));
         }
 
         // End the response status line

Modified:
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/InternalNioOutputBuffer.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/InternalNioOutputBuffer.java	2008-08-04
11:15:14 UTC (rev 733)
+++
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/InternalNioOutputBuffer.java	2008-08-04
11:37:52 UTC (rev 734)
@@ -471,11 +471,14 @@
         buf[pos++] = Constants.SP;
 
         // Write message
-        String message = response.getMessage();
+        String message = null;
+        if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+            message = response.getMessage();
+        }
         if (message == null) {
             write(HttpMessages.getMessage(status));
         } else {
-            write(message);
+            write(message.replace('\n', ' ').replace('\r', '
'));
         }
 
         // End the response status line

Modified:
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/InternalOutputBuffer.java
===================================================================
---
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/InternalOutputBuffer.java	2008-08-04
11:15:14 UTC (rev 733)
+++
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/InternalOutputBuffer.java	2008-08-04
11:37:52 UTC (rev 734)
@@ -438,11 +438,14 @@
         buf[pos++] = Constants.SP;
 
         // Write message
-        String message = response.getMessage();
+        String message = null;
+        if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+            message = response.getMessage();
+        }
         if (message == null) {
-            write(getMessage(status));
+            write(HttpMessages.getMessage(status));
         } else {
-            write(message);
+            write(message.replace('\n', ' ').replace('\r', '
'));
         }
 
         // End the response status line


    

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

JBossWeb SVN: r734 - in branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache: coyote and 2 other directories.