Bill Barker wrote:
<ma...@apache.org> wrote in message
news:20090307184553.971be2388...@eris.apache.org...
Author: markt
Date: Sat Mar 7 18:45:53 2009
New Revision: 751304
URL: http://svn.apache.org/viewvc?rev=751304&view=rev
Log:
Add AddDefaultCharSetValve
Added:
tomcat/trunk/java/org/apache/catalina/valves/AddDefaultCharsetValve.java
(with props)
Modified:
tomcat/trunk/webapps/docs/config/valve.xml
Added:
tomcat/trunk/java/org/apache/catalina/valves/AddDefaultCharsetValve.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/valves/AddDefaultCharsetValve.java?rev=751304&view=auto
==============================================================================
+public class AddDefaultCharsetValve
+ extends ValveBase {
+
+ /**
+ * Check for text/* and no character set and set charset to
ISO-8859-1 in
+ * those circumstances.
+ */
+ public void invoke(Request request, Response response)
+ throws IOException, ServletException {
+
+ // Process the request first
+ getNext().invoke(request, response);
This means that 99% of the time, this valve does nothing (except possibly
putting bogus values in the log files), since the response is already
committed.
maybe better to implement it as a filter with a response wrapper, that
reacts to setContentType
Filip
+
+ // Test once the response has been generated
+ String ct = response.getContentType();
+ if (ct != null && ct.startsWith("text/")) {
+ // Make sure the charset is explicitly set
+
response.setCharacterEncoding(response.getCharacterEncoding());
+ }
+ }
+
+}
Propchange:
tomcat/trunk/java/org/apache/catalina/valves/AddDefaultCharsetValve.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
tomcat/trunk/java/org/apache/catalina/valves/AddDefaultCharsetValve.java
------------------------------------------------------------------------------
svn:keywords = Date Author Id Revision
Modified: tomcat/trunk/webapps/docs/config/valve.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=751304&r1=751303&r2=751304&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/trunk/webapps/docs/config/valve.xml Sat Mar 7 18:45:53 2009
@@ -484,6 +484,47 @@
</section>
+<section name="Add Default Character Set Valve">
+
+ <subsection name="Introduction">
+
+ <p>The HTTP specification is clear that if no character set is
specified for
+ media sub-types of the "text" media type, the ISO-8859-1 character
set must
+ be used. However, browsers may attempt to auto-detect the character
set.
+ This may be exploited by an attacker to perform an XSS attack.
Internet
+ Explorer has this behaviour by default. Other browsers have an option
to
+ enable it.</p>
+
+ <p>This valve prevents the attack by explicitly setting a character
set.
+ Unless the provided character set is explicitly overridden by the
user the
+ browser will adhere to the explicitly set character set, thus
preventing the
+ XSS attack.</p>
+
+ <p>This Valve may be used at the <code>Engine</code>,
<code>Host</code> or
+ <code>Context</code> level as required. Normally, this Valve would be
used
+ at the <code>Engine</code> level.</p>
+
+ </subsection>
+
+ <subsection name="Attributes">
+
+ <p>The <strong>Add Default Character Set Valve</strong> supports the
+ following configuration attributes:</p>
+
+ <attributes>
+
+ <attribute name="className" required="true">
+ <p>Java class name of the implementation to use. This MUST be
set to
+
<strong>org.apache.catalina.valves.AddDefaultCharsetValve</strong>.</p>
+ </attribute>
+
+ </attributes>
+
+ </subsection>
+
+</section>
+
+
</body>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
