(tomcat) branch 11.0.x updated: Obfuscate session cookie values for JSON output as well as HTML

Mon, 02 Dec 2024 11:30:16 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 4f02366069 Obfuscate session cookie values for JSON output as well as 
HTML
4f02366069 is described below

commit 4f0236606961176257b883213e1621b1859ed746
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Dec 2 16:36:31 2024 +0000

    Obfuscate session cookie values for JSON output as well as HTML
---
 webapps/docs/changelog.xml                             |  4 ++++
 .../examples/WEB-INF/classes/RequestHeaderExample.java | 18 +++++++++++++++---
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c9aea486a1..af4536506f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -256,6 +256,10 @@
         Examples. Fix broken links when Servlet Request Info example is called
         via a URL that includes a pathInfo component. (markt)
       </fix>
+      <fix>
+        Examples. Expand the obfuscation of session cookie values in the 
request
+        header example to JSON responses. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name = "Other">
diff --git a/webapps/examples/WEB-INF/classes/RequestHeaderExample.java 
b/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
index 993a4463d4..db6e4b10c5 100644
--- a/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
+++ b/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
@@ -73,7 +73,7 @@ public class RequestHeaderExample extends HttpServlet {
 
             // text/html, application/html, etc.
             if (accept.contains("html")) {
-                return false;
+                return true;
             }
         }
         return false;
@@ -138,8 +138,20 @@ public class RequestHeaderExample extends HttpServlet {
             String headerName = e.nextElement();
             String headerValue = request.getHeader(headerName);
 
-            
out.append("{\"").append(JSONFilter.escape(headerName)).append("\":\"")
-                    .append(JSONFilter.escape(headerValue)).append("\"}");
+            
out.append("{\"").append(JSONFilter.escape(headerName)).append("\":\"");
+
+
+            if (headerName.toLowerCase(Locale.ENGLISH).contains("cookie")) {
+                HttpSession session = request.getSession(false);
+                String sessionId = null;
+                if (session != null) {
+                    sessionId = session.getId();
+                }
+                out.append(JSONFilter.escape(CookieFilter.filter(headerValue, 
sessionId)));
+            } else {
+                out.append(JSONFilter.escape(headerValue));
+            }
+            out.append("\"}");
 
             if (e.hasMoreElements()) {
                 out.append(',');


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to