JBossWeb SVN: r656 - in trunk/java/org/apache/catalina: startup and 1 other directory. - jbossweb-commits

Wednesday, 4 June 2008

Author: remy.maucherat(a)jboss.com
Date: 2008-06-04 15:55:55 -0400 (Wed, 04 Jun 2008)
New Revision: 656

Modified:
   trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
   trunk/java/org/apache/catalina/startup/CatalinaProperties.java
Log:
- Port: Very minor XSS problem.
- Don't override system properties.

Modified: trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
===================================================================

--- trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java	2008-06-02
11:49:30 UTC (rev 655)
+++ trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java	2008-06-04
19:55:55 UTC (rev 656)
@@ -21,6 +21,7 @@
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.io.StringWriter;
+import java.net.URLEncoder;
 import java.text.MessageFormat;
 import java.util.Iterator;
 import java.util.Map;
@@ -292,17 +293,17 @@
                 args = new Object[7];
                 args[0] = response.encodeURL
                     (request.getContextPath() +
-                     "/html/start?name=" + hostName);
+                     "/html/start?name=" + URLEncoder.encode(hostName,
"UTF-8"));
                 args[1] = hostsStart;
                 args[2] = response.encodeURL
                     (request.getContextPath() +
-                     "/html/stop?name=" + hostName);
+                     "/html/stop?name=" + URLEncoder.encode(hostName,
"UTF-8"));
                 args[3] = hostsStop;
                 args[4] = response.encodeURL
                     (request.getContextPath() +
-                     "/html/remove?name=" + hostName);
+                     "/html/remove?name=" + URLEncoder.encode(hostName,
"UTF-8"));
                 args[5] = hostsRemove;
-                args[6] = hostName;
+                args[6] = RequestUtil.filter(hostName);
                 if (host == this.host) {
                     writer.print(MessageFormat.format(
                         MANAGER_HOST_ROW_BUTTON_SECTION, args));

Modified: trunk/java/org/apache/catalina/startup/CatalinaProperties.java
===================================================================
--- trunk/java/org/apache/catalina/startup/CatalinaProperties.java	2008-06-02 11:49:30 UTC
(rev 655)
+++ trunk/java/org/apache/catalina/startup/CatalinaProperties.java	2008-06-04 19:55:55 UTC
(rev 656)
@@ -136,7 +136,7 @@
         while (enumeration.hasMoreElements()) {
             String name = (String) enumeration.nextElement();
             String value = properties.getProperty(name);
-            if (value != null) {
+            if (value != null && (System.getProperty(name) == null)) {
                 System.setProperty(name, value);
             }
         }


    

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

JBossWeb SVN: r656 - in trunk/java/org/apache/catalina: startup and 1 other directory.