Author: kkolinko
Date: Sat Feb 16 09:45:00 2019
New Revision: 1853693
URL: http://svn.apache.org/viewvc?rev=1853693&view=rev
Log:
Do not add CSRF nonce parameter and suppress Referer header for external links
in Manager and Host Manager web applications.
Modified:
tomcat/trunk/java/org/apache/catalina/manager/Constants.java
tomcat/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java
tomcat/trunk/java/org/apache/catalina/manager/StatusManagerServlet.java
tomcat/trunk/java/org/apache/catalina/manager/host/Constants.java
tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/manager/Constants.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/Constants.java?rev=1853693&r1=1853692&r2=1853693&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/manager/Constants.java (original)
+++ tomcat/trunk/java/org/apache/catalina/manager/Constants.java Sat Feb 16
09:45:00 2019
@@ -23,6 +23,8 @@ public class Constants {
public static final String Package = "org.apache.catalina.manager";
+ public static final String REL_EXTERNAL = "rel=\"noopener noreferrer\"";
+
public static final String HTML_HEADER_SECTION;
public static final String BODY_HEADER_SECTION;
public static final String MESSAGE_SECTION;
@@ -118,11 +120,11 @@ public class Constants {
"<table cellspacing=\"4\" border=\"0\">\n" +
" <tr>\n" +
" <td colspan=\"2\">\n" +
- " <a href=\"https://tomcat.apache.org/\";>\n" +
+ " <a href=\"https://tomcat.apache.org/\"; " + REL_EXTERNAL +
">\n" +
" <img border=\"0\" alt=\"The Tomcat Servlet/JSP Container\"\n"
+
" align=\"left\" src=\"{0}/images/tomcat.gif\">\n" +
" </a>\n" +
- " <a href=\"https://www.apache.org/\";>\n" +
+ " <a href=\"https://www.apache.org/\"; " + REL_EXTERNAL + ">\n" +
" <img border=\"0\" alt=\"The Apache Software Foundation\"
align=\"right\"\n" +
" src=\"{0}/images/asf-logo.svg\" style=\"width: 266px;
height: 83px;\">\n" +
" </a>\n" +
@@ -159,8 +161,8 @@ public class Constants {
"</tr>\n" +
" <tr>\n" +
" <td class=\"row-left\"><a href=\"{1}\">{2}</a></td>\n" +
- " <td class=\"row-center\"><a href=\"{3}\">{4}</a></td>\n" +
- " <td class=\"row-center\"><a href=\"{5}\">{6}</a></td>\n" +
+ " <td class=\"row-center\"><a href=\"{3}\" " + REL_EXTERNAL +
">{4}</a></td>\n" +
+ " <td class=\"row-center\"><a href=\"{5}\" " + REL_EXTERNAL +
">{6}</a></td>\n" +
" <td class=\"row-right\"><a href=\"{7}\">{8}</a></td>\n" +
" </tr>\n" +
"</table>\n" +
@@ -215,6 +217,5 @@ public class Constants {
public static final String XML_STYLE =
"<?xml-stylesheet type=\"text/xsl\" href=\"{0}/xform.xsl\" ?>\n";
-
}
Modified: tomcat/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java?rev=1853693&r1=1853692&r2=1853693&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java Sat
Feb 16 09:45:00 2019
@@ -373,11 +373,11 @@ public final class HTMLManagerServlet ex
args[0] = smClient.getString("htmlManagerServlet.manager");
args[1] = response.encodeURL(request.getContextPath() + "/html/list");
args[2] = smClient.getString("htmlManagerServlet.list");
- args[3] = response.encodeURL
+ args[3] = // External link
(request.getContextPath() + "/" +
smClient.getString("htmlManagerServlet.helpHtmlManagerFile"));
args[4] = smClient.getString("htmlManagerServlet.helpHtmlManager");
- args[5] = response.encodeURL
+ args[5] = // External link
(request.getContextPath() + "/" +
smClient.getString("htmlManagerServlet.helpManagerFile"));
args[6] = smClient.getString("htmlManagerServlet.helpManager");
@@ -455,9 +455,11 @@ public final class HTMLManagerServlet ex
}
args = new Object[7];
- args[0] = "<a href=\"" +
- URLEncoder.DEFAULT.encode(contextPath + "/",
StandardCharsets.UTF_8) +
- "\">" + Escape.htmlElementContent(displayPath) +
"</a>";
+ args[0] = // External link
+ "<a href=\""
+ + URLEncoder.DEFAULT.encode(contextPath + "/",
StandardCharsets.UTF_8)
+ + "\" " + Constants.REL_EXTERNAL + ">"
+ + Escape.htmlElementContent(displayPath) + "</a>";
if ("".equals(ctxt.getWebappVersion())) {
args[1] = noVersion;
} else {
Modified:
tomcat/trunk/java/org/apache/catalina/manager/StatusManagerServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/StatusManagerServlet.java?rev=1853693&r1=1853692&r2=1853693&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/manager/StatusManagerServlet.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/manager/StatusManagerServlet.java Sat
Feb 16 09:45:00 2019
@@ -235,11 +235,11 @@ public class StatusManagerServlet
args[0] = smClient.getString("htmlManagerServlet.manager");
args[1] = response.encodeURL(request.getContextPath() + "/html/list");
args[2] = smClient.getString("htmlManagerServlet.list");
- args[3] = response.encodeURL
+ args[3] = // External link
(request.getContextPath() + "/" +
smClient.getString("htmlManagerServlet.helpHtmlManagerFile"));
args[4] = smClient.getString("htmlManagerServlet.helpHtmlManager");
- args[5] = response.encodeURL
+ args[5] = // External link
(request.getContextPath() + "/" +
smClient.getString("htmlManagerServlet.helpManagerFile"));
args[6] = smClient.getString("htmlManagerServlet.helpManager");
Modified: tomcat/trunk/java/org/apache/catalina/manager/host/Constants.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/host/Constants.java?rev=1853693&r1=1853692&r2=1853693&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/manager/host/Constants.java (original)
+++ tomcat/trunk/java/org/apache/catalina/manager/host/Constants.java Sat Feb
16 09:45:00 2019
@@ -23,6 +23,8 @@ public class Constants {
public static final String Package = "org.apache.catalina.manager.host";
+ public static final String REL_EXTERNAL =
org.apache.catalina.manager.Constants.REL_EXTERNAL;
+
public static final String MESSAGE_SECTION =
"<table border=\"1\" cellspacing=\"0\" cellpadding=\"3\">\n" +
" <tr>\n" +
@@ -41,8 +43,8 @@ public class Constants {
"</tr>\n" +
" <tr>\n" +
" <td class=\"row-left\"><a href=\"{1}\">{2}</a></td>\n" +
- " <td class=\"row-center\"><a href=\"{3}\">{4}</a></td>\n" +
- " <td class=\"row-center\"><a href=\"{5}\">{6}</a></td>\n" +
+ " <td class=\"row-center\"><a href=\"{3}\" " + REL_EXTERNAL +
">{4}</a></td>\n" +
+ " <td class=\"row-center\"><a href=\"{5}\" " + REL_EXTERNAL +
">{6}</a></td>\n" +
" <td class=\"row-right\"><a href=\"{7}\">{8}</a></td>\n" +
" </tr>\n" +
"</table>\n" +
@@ -85,6 +87,5 @@ public class Constants {
"</body>\n" +
"</html>";
public static final String CHARSET="utf-8";
-
}
Modified:
tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java?rev=1853693&r1=1853692&r2=1853693&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
Sat Feb 16 09:45:00 2019
@@ -291,11 +291,11 @@ public final class HTMLHostManagerServle
args[0] = smClient.getString("htmlHostManagerServlet.manager");
args[1] = response.encodeURL(request.getContextPath() + "/html/list");
args[2] = smClient.getString("htmlHostManagerServlet.list");
- args[3] = response.encodeURL
+ args[3] = // External link
(request.getContextPath() + "/" +
smClient.getString("htmlHostManagerServlet.helpHtmlManagerFile"));
args[4] = smClient.getString("htmlHostManagerServlet.helpHtmlManager");
- args[5] = response.encodeURL
+ args[5] = // External link
(request.getContextPath() + "/" +
smClient.getString("htmlHostManagerServlet.helpManagerFile"));
args[6] = smClient.getString("htmlHostManagerServlet.helpManager");
@@ -339,7 +339,8 @@ public final class HTMLHostManagerServle
if (host != null ) {
args = new Object[2];
- args[0] = Escape.htmlElementContent(hostName);
+ args[0] = // External link
+ Escape.htmlElementContent(hostName);
String[] aliases = host.findAliases();
StringBuilder buf = new StringBuilder();
if (aliases.length > 0) {
@@ -490,7 +491,8 @@ public final class HTMLHostManagerServle
private static final String HOSTS_ROW_DETAILS_SECTION =
"<tr>\n" +
- " <td class=\"row-left\"><small><a href=\"http://{0}\";>{0}</a>" +
+ " <td class=\"row-left\"><small><a href=\"http://{0}\"; "
+ + Constants.REL_EXTERNAL + ">{0}</a>" +
"</small></td>\n" +
" <td class=\"row-center\"><small>{1}</small></td>\n";
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1853693&r1=1853692&r2=1853693&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat Feb 16 09:45:00 2019
@@ -96,6 +96,10 @@
Improve display of summary values on the status page of Manager web
application: separate terms and values with a whitespace. (kkolinko)
</fix>
+ <fix>
+ Do not add CSRF nonce parameter and suppress Referer header for
external
+ links in Manager and Host Manager web applications. (kkolinko)
+ </fix>
</changelog>
</subsection>
<subsection name="Tribes">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
