On 02/03/18 15:33, Konstantin Kolinko wrote:
> 2018-03-02 14:51 GMT+03:00 <[email protected]>:
>> Author: markt
>> Date: Fri Mar 2 11:51:19 2018
>> New Revision: 1825713
>>
>> URL: http://svn.apache.org/viewvc?rev=1825713&view=rev
>> Log:
>> Work-around a known, non-specification compliant behaviour in some versions
>> of IE that can allow XSS when using the JMX proxy feature of the Manager
>> application.
>> Based on a suggestion from Muthukumar Marikani.
>
> It may be worth to add the same to ManagerServlet, HostManagerServlet
> that use text/plain as well.
I'm not sure. I'll take a closer look but the first one I looked at was
HTML escaped because it is used by both Manager and HTMLManager.
> Also ManagerServlet, HostManagerServlet have an explicit charset in
> their mime-type,
> response.setContentType("text/plain;charset="+Constants.CHARSET);
Good catch. I've added that the JMX text output.
Mark
>
>
>> Modified:
>> tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
>> tomcat/trunk/webapps/docs/changelog.xml
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java?rev=1825713&r1=1825712&r2=1825713&view=diff
>> ==============================================================================
>> --- tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java
>> (original)
>> +++ tomcat/trunk/java/org/apache/catalina/manager/JMXProxyServlet.java Fri
>> Mar 2 11:51:19 2018
>> @@ -84,6 +84,10 @@ public class JMXProxyServlet extends Htt
>> public void doGet(HttpServletRequest request, HttpServletResponse
>> response)
>> throws IOException, ServletException {
>> response.setContentType("text/plain");
>> + // Stop older versions of IE thinking they know best. We set
>> text/plain
>> + // in the line above for a reason. IE's behaviour is unwanted at
>> best
>> + // and dangerous at worst.
>> + response.setHeader("X-Content-Type-Options", "nosniff");
>>
>> PrintWriter writer = response.getWriter();
>>
>>
>> Modified: tomcat/trunk/webapps/docs/changelog.xml
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1825713&r1=1825712&r2=1825713&view=diff
>> ==============================================================================
>> --- tomcat/trunk/webapps/docs/changelog.xml (original)
>> +++ tomcat/trunk/webapps/docs/changelog.xml Fri Mar 2 11:51:19 2018
>> @@ -157,6 +157,12 @@
>> Add support for specifying the application version when deploying an
>> application via the Manager application HTML interface. (markt)
>> </add>
>> + <add>
>> + Work-around a known, non-specification compliant behaviour in some
>> + versions of IE that can allow XSS when using the JMX proxy feature
>> of
>> + the Manager application. Based on a suggestion from Muthukumar
>> Marikani.
>> + (markt)
>> + </add>
>> </changelog>
>> </subsection>
>> </section>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
