svn commit: r1825713 - in /tomcat/trunk: java/org/apache/catalina/manager/JMXProxyServlet.java webapps/docs/changelog.xml

[markt]

Author: markt
Date: Fri Mar  2 11:51:19 2018
New Revision: 1825713

URL: http://svn.apache.org/viewvc?rev=1825713&view=rev
Log:
Work-around a known, non-specification compliant behaviour in some versions of 
IE that can allow XSS when using the JMX proxy feature of the Manager 
application.
Based on a suggestion from Muthukumar Marikani.
Modified:
    tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java?rev=1825713&r1=1825712&r2=1825713&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java Fri Mar  
2 11:51:19 2018
@@ -84,6 +84,10 @@ public class JMXProxyServlet extends Htt
     public void doGet(HttpServletRequest request, HttpServletResponse response)
             throws IOException, ServletException {
         response.setContentType("text/plain");
+        // Stop older versions of IE thinking they know best. We set text/plain
+        // in the line above for a reason. IE's behaviour is unwanted at best
+        // and dangerous at worst.
+        response.setHeader("X-Content-Type-Options", "nosniff");
 
         PrintWriter writer = response.getWriter();
 

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1825713&r1=1825712&r2=1825713&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Mar  2 11:51:19 2018
@@ -157,6 +157,12 @@
         Add support for specifying the application version when deploying an
         application via the Manager application HTML interface. (markt)
       </add>
+      <add>
+        Work-around a known, non-specification compliant behaviour in some
+        versions of IE that can allow XSS when using the JMX proxy feature of
+        the Manager application. Based on a suggestion from Muthukumar 
Marikani.
+        (markt)
+      </add>
     </changelog>
   </subsection>
 </section>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org