Author: remy.maucherat(a)jboss.com Date: 2013-03-18 12:16:55 -0400 (Mon, 18 Mar 2013) New Revision: 2176 Modified: branches/2.1.x/java/org/apache/tomcat/bayeux/RequestBase.java branches/7.0.x/java/org/apache/tomcat/bayeux/RequestBase.java branches/7.2.x/src/main/java/org/apache/tomcat/bayeux/RequestBase.java branches/8.0.x/src/main/java/org/apache/tomcat/bayeux/RequestBase.java Log: Fix minor XSS issue with Bayeux; probably not actually used. Modified: branches/2.1.x/java/org/apache/tomcat/bayeux/RequestBase.java =================================================================== --- branches/2.1.x/java/org/apache/tomcat/bayeux/RequestBase.java 2013-03-12 16:54:51 UTC (rev 2175) +++ branches/2.1.x/java/org/apache/tomcat/bayeux/RequestBase.java 2013-03-18 16:16:55 UTC (rev 2176) @@ -29,6 +29,7 @@ import javax.servlet.ServletException; +import org.apache.catalina.util.RequestUtil; import org.apache.cometd.bayeux.Bayeux; import org.apache.cometd.bayeux.Message; import org.apache.tomcat.util.json.JSONArray; @@ -179,7 +180,7 @@ String jsonp = event.getHttpServletRequest().getParameter(Bayeux.JSONP_PARAMETER); if (jsonp == null) jsonp = Bayeux.JSONP_DEFAULT_NAME; - out.print(jsonp); + out.print(RequestUtil.filter(jsonp)); out.print('('); } else { throw new BayeuxException("Client doesn't support any appropriate connection type."); Modified: branches/7.0.x/java/org/apache/tomcat/bayeux/RequestBase.java =================================================================== --- branches/7.0.x/java/org/apache/tomcat/bayeux/RequestBase.java 2013-03-12 16:54:51 UTC (rev 2175) +++ branches/7.0.x/java/org/apache/tomcat/bayeux/RequestBase.java 2013-03-18 16:16:55 UTC (rev 2176) @@ -29,6 +29,7 @@ import javax.servlet.ServletException; +import org.apache.catalina.util.RequestUtil; import org.apache.cometd.bayeux.Bayeux; import org.apache.cometd.bayeux.Message; import org.apache.tomcat.util.json.JSONArray; @@ -179,7 +180,7 @@ String jsonp = event.getHttpServletRequest().getParameter(Bayeux.JSONP_PARAMETER); if (jsonp == null) jsonp = Bayeux.JSONP_DEFAULT_NAME; - out.print(jsonp); + out.print(RequestUtil.filter(jsonp)); out.print('('); } else { throw new BayeuxException("Client doesn't support any appropriate connection type."); Modified: branches/7.2.x/src/main/java/org/apache/tomcat/bayeux/RequestBase.java =================================================================== --- branches/7.2.x/src/main/java/org/apache/tomcat/bayeux/RequestBase.java 2013-03-12 16:54:51 UTC (rev 2175) +++ branches/7.2.x/src/main/java/org/apache/tomcat/bayeux/RequestBase.java 2013-03-18 16:16:55 UTC (rev 2176) @@ -31,6 +31,7 @@ import javax.servlet.ServletException; +import org.apache.catalina.util.RequestUtil; import org.apache.cometd.bayeux.Bayeux; import org.apache.cometd.bayeux.Message; import org.apache.tomcat.util.json.JSONArray; @@ -180,7 +181,7 @@ String jsonp = event.getHttpServletRequest().getParameter(Bayeux.JSONP_PARAMETER); if (jsonp == null) jsonp = Bayeux.JSONP_DEFAULT_NAME; - out.print(jsonp); + out.print(RequestUtil.filter(jsonp)); out.print('('); } else { throw new BayeuxException(MESSAGES.noBayeuxConnectionType()); Modified: branches/8.0.x/src/main/java/org/apache/tomcat/bayeux/RequestBase.java =================================================================== --- branches/8.0.x/src/main/java/org/apache/tomcat/bayeux/RequestBase.java 2013-03-12 16:54:51 UTC (rev 2175) +++ branches/8.0.x/src/main/java/org/apache/tomcat/bayeux/RequestBase.java 2013-03-18 16:16:55 UTC (rev 2176) @@ -31,6 +31,7 @@ import javax.servlet.ServletException; +import org.apache.catalina.util.RequestUtil; import org.apache.cometd.bayeux.Bayeux; import org.apache.cometd.bayeux.Message; import org.apache.tomcat.util.json.JSONArray; @@ -180,7 +181,7 @@ String jsonp = event.getHttpServletRequest().getParameter(Bayeux.JSONP_PARAMETER); if (jsonp == null) jsonp = Bayeux.JSONP_DEFAULT_NAME; - out.print(jsonp); + out.print(RequestUtil.filter(jsonp)); out.print('('); } else { throw new BayeuxException(MESSAGES.noBayeuxConnectionType());