This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 8158309843 Obfuscate session cookie values for JSON output as well as
HTML
8158309843 is described below
commit 81583098434864b92d7be1d39fed5affd853648d
Author: Mark Thomas <[email protected]>
AuthorDate: Mon Dec 2 16:36:31 2024 +0000
Obfuscate session cookie values for JSON output as well as HTML
---
webapps/docs/changelog.xml | 4 ++++
.../examples/WEB-INF/classes/RequestHeaderExample.java | 18 +++++++++++++++---
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index d17fb78b0d..99c9839252 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -272,6 +272,10 @@
<code>allowedInternalProxies</code>. Pull request <pr>786</pr> provided
by Jorge Díaz. (markt)
</fix>
+ <fix>
+ Examples. Expand the obfuscation of session cookie values in the
request
+ header example to JSON responses. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
diff --git a/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
b/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
index 993a4463d4..db6e4b10c5 100644
--- a/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
+++ b/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
@@ -73,7 +73,7 @@ public class RequestHeaderExample extends HttpServlet {
// text/html, application/html, etc.
if (accept.contains("html")) {
- return false;
+ return true;
}
}
return false;
@@ -138,8 +138,20 @@ public class RequestHeaderExample extends HttpServlet {
String headerName = e.nextElement();
String headerValue = request.getHeader(headerName);
-
out.append("{\"").append(JSONFilter.escape(headerName)).append("\":\"")
- .append(JSONFilter.escape(headerValue)).append("\"}");
+
out.append("{\"").append(JSONFilter.escape(headerName)).append("\":\"");
+
+
+ if (headerName.toLowerCase(Locale.ENGLISH).contains("cookie")) {
+ HttpSession session = request.getSession(false);
+ String sessionId = null;
+ if (session != null) {
+ sessionId = session.getId();
+ }
+ out.append(JSONFilter.escape(CookieFilter.filter(headerValue,
sessionId)));
+ } else {
+ out.append(JSONFilter.escape(headerValue));
+ }
+ out.append("\"}");
if (e.hasMoreElements()) {
out.append(',');
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
