Author: remy.maucherat(a)jboss.com Date: 2008-06-09 06:00:54 -0400 (Mon, 09 Jun 2008) New Revision: 661 Added: trunk/java/org/apache/catalina/valves/WebdavFixValve.java Modified: trunk/java/org/apache/jasper/security/SecurityUtil.java trunk/java/org/apache/jasper/servlet/JspServlet.java trunk/webapps/docs/changelog.xml Log: - Two Tomcat patches. - Add a WebDAV valve for a broken MS client. - Improve JSP error when including. Added: trunk/java/org/apache/catalina/valves/WebdavFixValve.java =================================================================== --- trunk/java/org/apache/catalina/valves/WebdavFixValve.java (rev 0) +++ trunk/java/org/apache/catalina/valves/WebdavFixValve.java 2008-06-09 10:00:54 UTC (rev 661) @@ -0,0 +1,78 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.catalina.valves; + +import java.io.IOException; + +import javax.servlet.ServletException; + +import org.apache.catalina.valves.ValveBase; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; + +/** + * Valve that attempts to force MS WebDAV clients connecting on port 80 to use + * a WebDAV client that actually works. Other workarounds that might help + * include: + * <ul> + * <li>Specifing the port, even if it is port 80, when trying to connect.</li> + * <li>Canceling the first authentication dialog box and then trying to + * reconnect.</li> + * </ul> + * To use this valve add the following <code>&lt;Valve + * className="org.apache.catalina.valves.MicrosoftWebdavFixValve" /&gt;</code> + * to your <code>Engine</code>, <code>Host</code> or <code>Context</code> as + * required. Normally, this valve would be used at the <code>Context</code> + * level. + * + * @version $Revision: 420067 $, $Date: 2006-07-08 09:16:58 +0200 (sub, 08 srp 2006) $ + */ + +public class WebdavFixValve + extends ValveBase { + + /** + * Check for the broken MS WebDAV client and if detected issue a re-direct + * that hopefully will cause the non-broken client to be used. + */ + public void invoke(Request request, Response response) + throws IOException, ServletException { + + String ua = request.getHeader("User-Agent"); + if (ua != null && ua.contains("MiniRedir")) { + response.sendRedirect(buildRedirect(request)); + } else { + getNext().invoke(request, response); + } + } + + private String buildRedirect(Request request) { + StringBuffer location = + new StringBuffer(request.getRequestURL().length()); + location.append(request.getScheme()); + location.append("://"); + location.append(request.getHost().getName()); + location.append(':'); + // If we include the port, even if it is 80, then MS clients will use + // a WebDAV client that works rather than the MiniRedir that has + // problems with BASIC authentication + location.append(request.getServerPort()); + location.append(request.getRequestURI()); + return location.toString(); + } +} Modified: trunk/java/org/apache/jasper/security/SecurityUtil.java =================================================================== --- trunk/java/org/apache/jasper/security/SecurityUtil.java 2008-06-06 14:37:41 UTC (rev 660) +++ trunk/java/org/apache/jasper/security/SecurityUtil.java 2008-06-09 10:00:54 UTC (rev 661) @@ -39,6 +39,43 @@ } return false; } + + /** + * Filter the specified message string for characters that are sensitive + * in HTML. This avoids potential attacks caused by including JavaScript + * codes in the request URL that is often reported in error messages. + * + * @param message The message string to be filtered + */ + public static String filter(String message) { + + if (message == null) + return (null); + + char content[] = new char[message.length()]; + message.getChars(0, message.length(), content, 0); + StringBuffer result = new StringBuffer(content.length + 50); + for (int i = 0; i < content.length; i++) { + switch (content[i]) { + case '<': + result.append("&lt;"); + break; + case '>': + result.append("&gt;"); + break; + case '&': + result.append("&amp;"); + break; + case '"': + result.append("&quot;"); + break; + default: + result.append(content[i]); + } + } + return (result.toString()); + + } } Modified: trunk/java/org/apache/jasper/servlet/JspServlet.java =================================================================== --- trunk/java/org/apache/jasper/servlet/JspServlet.java 2008-06-06 14:37:41 UTC (rev 660) +++ trunk/java/org/apache/jasper/servlet/JspServlet.java 2008-06-09 10:00:54 UTC (rev 661) @@ -29,14 +29,13 @@ import javax.servlet.http.HttpServletResponse; import org.apache.PeriodicEventListener; - import org.apache.jasper.Constants; import org.apache.jasper.EmbeddedServletOptions; import org.apache.jasper.Options; import org.apache.jasper.compiler.JspRuntimeContext; import org.apache.jasper.compiler.Localizer; +import org.apache.jasper.security.SecurityUtil; import org.jboss.logging.Logger; -import org.jboss.logging.Logger; /** * The JSP engine (a.k.a Jasper). @@ -311,8 +310,10 @@ if (includeRequestUri != null) { // This file was included. Throw an exception as // a response.sendError() will be ignored - throw new ServletException(Localizer.getMessage( - "jsp.error.file.not.found",jspUri)); + String msg = Localizer.getMessage("jsp.error.file.not.found", jspUri); + // Strictly, filtering this is an application + // responsibility but just in case... + throw new ServletException(SecurityUtil.filter(msg)); } else { try { response.sendError( Modified: trunk/webapps/docs/changelog.xml =================================================================== --- trunk/webapps/docs/changelog.xml 2008-06-06 14:37:41 UTC (rev 660) +++ trunk/webapps/docs/changelog.xml 2008-06-09 10:00:54 UTC (rev 661) @@ -60,6 +60,12 @@ <update> Add HTTP/1.0 keep-alive to ClusterListener. (remm) </update> + <add> + Add a new valve that works-around the broken MS WedDAV client. (markt) + </add> + <fix> + Fix XSS in the host manager. (markt) + </fix> </changelog> </subsection> <subsection name="Coyote"> @@ -86,6 +92,10 @@ <fix> <bug>44994</bug>: Correct BNF grammar so ${0 lt a ? 1 lt a ? "many": "one": "none"} works. (markt) </fix> + <fix> + Add an additional layer of protection in case app fails to protect against an XSS. + Copied filter code to jasper module so no new dependency is created. (markt) + </fix> </changelog> </subsection> </section>