This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 1d88dd3ffa Obfuscate session cookie values for JSON output as well as
HTML
1d88dd3ffa is described below
commit 1d88dd3ffaed76188dd4ee32ce77709ce6e153cd
Author: Mark Thomas <[email protected]>
AuthorDate: Mon Dec 2 16:36:31 2024 +0000
Obfuscate session cookie values for JSON output as well as HTML
---
webapps/docs/changelog.xml | 4 ++++
.../examples/WEB-INF/classes/RequestHeaderExample.java | 18 +++++++++++++++---
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 4a15dcd05d..1431d3ebd9 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -246,6 +246,10 @@
Examples. Fix broken links when Servlet Request Info example is called
via a URL that includes a pathInfo component. (markt)
</fix>
+ <fix>
+ Examples. Expand the obfuscation of session cookie values in the
request
+ header example to JSON responses. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name = "Other">
diff --git a/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
b/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
index b01c84f33e..e32f8c2336 100644
--- a/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
+++ b/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
@@ -73,7 +73,7 @@ public class RequestHeaderExample extends HttpServlet {
// text/html, application/html, etc.
if (accept.contains("html")) {
- return false;
+ return true;
}
}
return false;
@@ -138,8 +138,20 @@ public class RequestHeaderExample extends HttpServlet {
String headerName = e.nextElement();
String headerValue = request.getHeader(headerName);
-
out.append("{\"").append(JSONFilter.escape(headerName)).append("\":\"")
- .append(JSONFilter.escape(headerValue)).append("\"}");
+
out.append("{\"").append(JSONFilter.escape(headerName)).append("\":\"");
+
+
+ if (headerName.toLowerCase(Locale.ENGLISH).contains("cookie")) {
+ HttpSession session = request.getSession(false);
+ String sessionId = null;
+ if (session != null) {
+ sessionId = session.getId();
+ }
+ out.append(JSONFilter.escape(CookieFilter.filter(headerValue,
sessionId)));
+ } else {
+ out.append(JSONFilter.escape(headerValue));
+ }
+ out.append("\"}");
if (e.hasMoreElements()) {
out.append(',');
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
