<[email protected]> wrote in message
news:[email protected]...
> Author: markt
> Date: Sat Mar 7 18:45:53 2009
> New Revision: 751304
>
> URL: http://svn.apache.org/viewvc?rev=751304&view=rev
> Log:
> Add AddDefaultCharSetValve
>
> Added:
>
> tomcat/trunk/java/org/apache/catalina/valves/AddDefaultCharsetValve.java
> (with props)
> Modified:
> tomcat/trunk/webapps/docs/config/valve.xml
>
> Added:
> tomcat/trunk/java/org/apache/catalina/valves/AddDefaultCharsetValve.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/AddDefaultCharsetValve.java?rev=751304&view=auto
> ==============================================================================
> +public class AddDefaultCharsetValve
> + extends ValveBase {
> +
> + /**
> + * Check for text/* and no character set and set charset to
> ISO-8859-1 in
> + * those circumstances.
> + */
> + public void invoke(Request request, Response response)
> + throws IOException, ServletException {
> +
> + // Process the request first
> + getNext().invoke(request, response);
This means that 99% of the time, this valve does nothing (except possibly
putting bogus values in the log files), since the response is already
committed.
> +
> + // Test once the response has been generated
> + String ct = response.getContentType();
> + if (ct != null && ct.startsWith("text/")) {
> + // Make sure the charset is explicitly set
> +
> response.setCharacterEncoding(response.getCharacterEncoding());
> + }
> + }
> +
> +}
>
> Propchange:
> tomcat/trunk/java/org/apache/catalina/valves/AddDefaultCharsetValve.java
> ------------------------------------------------------------------------------
> svn:eol-style = native
>
> Propchange:
> tomcat/trunk/java/org/apache/catalina/valves/AddDefaultCharsetValve.java
> ------------------------------------------------------------------------------
> svn:keywords = Date Author Id Revision
>
> Modified: tomcat/trunk/webapps/docs/config/valve.xml
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=751304&r1=751303&r2=751304&view=diff
> ==============================================================================
> --- tomcat/trunk/webapps/docs/config/valve.xml (original)
> +++ tomcat/trunk/webapps/docs/config/valve.xml Sat Mar 7 18:45:53 2009
> @@ -484,6 +484,47 @@
> </section>
>
>
> +<section name="Add Default Character Set Valve">
> +
> + <subsection name="Introduction">
> +
> + <p>The HTTP specification is clear that if no character set is
> specified for
> + media sub-types of the "text" media type, the ISO-8859-1 character
> set must
> + be used. However, browsers may attempt to auto-detect the character
> set.
> + This may be exploited by an attacker to perform an XSS attack.
> Internet
> + Explorer has this behaviour by default. Other browsers have an option
> to
> + enable it.</p>
> +
> + <p>This valve prevents the attack by explicitly setting a character
> set.
> + Unless the provided character set is explicitly overridden by the
> user the
> + browser will adhere to the explicitly set character set, thus
> preventing the
> + XSS attack.</p>
> +
> + <p>This Valve may be used at the <code>Engine</code>,
> <code>Host</code> or
> + <code>Context</code> level as required. Normally, this Valve would be
> used
> + at the <code>Engine</code> level.</p>
> +
> + </subsection>
> +
> + <subsection name="Attributes">
> +
> + <p>The <strong>Add Default Character Set Valve</strong> supports the
> + following configuration attributes:</p>
> +
> + <attributes>
> +
> + <attribute name="className" required="true">
> + <p>Java class name of the implementation to use. This MUST be
> set to
> +
> <strong>org.apache.catalina.valves.AddDefaultCharsetValve</strong>.</p>
> + </attribute>
> +
> + </attributes>
> +
> + </subsection>
> +
> +</section>
> +
> +
> </body>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
