Re: svn commit: r1825713 - in /tomcat/trunk: java/org/apache/catalina/manager/JMXProxyServlet.java webapps/docs/changelog.xml

Fri, 02 Mar 2018 07:33:44 -0800 

2018-03-02 14:51 GMT+03:00  <[email protected]>:
> Author: markt
> Date: Fri Mar  2 11:51:19 2018
> New Revision: 1825713
>
> URL: http://svn.apache.org/viewvc?rev=1825713&view=rev
> Log:
> Work-around a known, non-specification compliant behaviour in some versions 
> of IE that can allow XSS when using the JMX proxy feature of the Manager 
> application.
> Based on a suggestion from Muthukumar Marikani.

It may be worth to add the same to ManagerServlet, HostManagerServlet
that use text/plain as well.

Also ManagerServlet, HostManagerServlet have an explicit charset in
their mime-type,
response.setContentType("text/plain;charset="+Constants.CHARSET);


> Modified:
>     tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
>     tomcat/trunk/webapps/docs/changelog.xml
>
> Modified: tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
> URL: 
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java?rev=1825713&r1=1825712&r2=1825713&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java 
> (original)
> +++ tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java Fri 
> Mar  2 11:51:19 2018
> @@ -84,6 +84,10 @@ public class JMXProxyServlet extends Htt
>      public void doGet(HttpServletRequest request, HttpServletResponse 
> response)
>              throws IOException, ServletException {
>          response.setContentType("text/plain");
> +        // Stop older versions of IE thinking they know best. We set 
> text/plain
> +        // in the line above for a reason. IE's behaviour is unwanted at best
> +        // and dangerous at worst.
> +        response.setHeader("X-Content-Type-Options", "nosniff");
>
>          PrintWriter writer = response.getWriter();
>
>
> Modified: tomcat/trunk/webapps/docs/changelog.xml
> URL: 
> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1825713&r1=1825712&r2=1825713&view=diff
> ==============================================================================
> --- tomcat/trunk/webapps/docs/changelog.xml (original)
> +++ tomcat/trunk/webapps/docs/changelog.xml Fri Mar  2 11:51:19 2018
> @@ -157,6 +157,12 @@
>          Add support for specifying the application version when deploying an
>          application via the Manager application HTML interface. (markt)
>        </add>
> +      <add>
> +        Work-around a known, non-specification compliant behaviour in some
> +        versions of IE that can allow XSS when using the JMX proxy feature of
> +        the Manager application. Based on a suggestion from Muthukumar 
> Marikani.
> +        (markt)
> +      </add>
>      </changelog>
>    </subsection>
>  </section>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to