Author: markt
Date: Mon Nov 22 17:19:07 2010
New Revision: 1037778
URL: http://svn.apache.org/viewvc?rev=1037778&view=rev
Log:
Fix CVE-2010-4172. Multiple XSS in Manager web application
Modified:
tomcat/trunk/java/org/apache/catalina/manager/JspHelper.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp
tomcat/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp
Modified: tomcat/trunk/java/org/apache/catalina/manager/JspHelper.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/JspHelper.java?rev=1037778&r1=1037777&r2=1037778&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/manager/JspHelper.java (original)
+++ tomcat/trunk/java/org/apache/catalina/manager/JspHelper.java Mon Nov 22
17:19:07 2010
@@ -54,7 +54,7 @@ public class JspHelper {
}
private static String localeToString(Locale locale) {
if (locale != null) {
- return locale.toString();//locale.getDisplayName();
+ return escapeXml(locale.toString());//locale.getDisplayName();
} else {
return "";
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1037778&r1=1037777&r2=1037778&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Nov 22 17:19:07 2010
@@ -295,6 +295,9 @@
<bug>50310</bug>: Fix display of Servlet information in Manager
application. (markt)
</fix>
+ <fix>
+ CVE-2010-4172: Multiple XSS in Manager application. (markt/kkolinko)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
Modified: tomcat/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp?rev=1037778&r1=1037777&r2=1037778&view=diff
==============================================================================
--- tomcat/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp (original)
+++ tomcat/trunk/webapps/manager/WEB-INF/jsp/sessionDetail.jsp Mon Nov 22
17:19:07 2010
@@ -33,10 +33,10 @@
ContextName cn = new ContextName(path, version);
Session currentSession = (Session)request.getAttribute("currentSession");
HttpSession currentHttpSession = currentSession.getSession();
- String currentSessionId = currentSession.getId();
- String submitUrl = response.encodeURL(((HttpServletRequest)
- pageContext.getRequest()).getRequestURI() + "?path=" + path +
- "&version=" + version);
+ String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+ String submitUrl = JspHelper.escapeXml(response.encodeURL(
+ ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+ "?path=" + path + "&version=" + version));
%>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
@@ -50,7 +50,7 @@
<title>Sessions Administration: details for <%= currentSessionId %></title>
</head>
<body>
-<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
<table style="text-align: left;" border="0">
<tr>
@@ -142,7 +142,7 @@
<div>
<input type="hidden" name="action"
value="removeSessionAttribute" />
<input type="hidden" name="sessionId" value="<%=
currentSessionId %>" />
- <input type="hidden" name="attributeName" value="<%=
attributeName %>" />
+ <input type="hidden" name="attributeName" value="<%=
JspHelper.escapeXml(attributeName) %>" />
<%
if
("Primary".equals(request.getParameter("sessionType"))) {
%>
@@ -165,7 +165,6 @@
<form method="post" action="<%=submitUrl%>">
<p style="text-align: center;">
- <input type="hidden" name="path" value="<%= path %>" />
<input type="submit" value="Return to session list" />
</p>
</form>
Modified: tomcat/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp?rev=1037778&r1=1037777&r2=1037778&view=diff
==============================================================================
--- tomcat/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp (original)
+++ tomcat/trunk/webapps/manager/WEB-INF/jsp/sessionsList.jsp Mon Nov 22
17:19:07 2010
@@ -31,9 +31,9 @@
<% String path = (String) request.getAttribute("path");
String version = (String) request.getAttribute("version");
ContextName cn = new ContextName(path, version);
- String submitUrl = response.encodeURL(((HttpServletRequest)
- pageContext.getRequest()).getRequestURI() + "?path=" + path +
- "&version=" + version);
+ String submitUrl = JspHelper.escapeXml(response.encodeURL(
+ ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+ "?path=" + path + "&version=" + version));
Collection activeSessions = (Collection)
request.getAttribute("activeSessions");
%>
<head>
@@ -45,10 +45,10 @@
<meta name="author" content="Cedrik LIME"/>
<meta name="copyright" content="copyright 2005-2010 the Apache Software
Foundation"/>
<meta name="robots" content="noindex,nofollow,noarchive"/>
- <title>Sessions Administration for <%= cn.getDisplayName() %></title>
+ <title>Sessions Administration for <%=
JspHelper.escapeXml(cn.getDisplayName()) %></title>
</head>
<body>
-<h1>Sessions Administration for <%= cn.getDisplayName() %></h1>
+<h1>Sessions Administration for <%= JspHelper.escapeXml(cn.getDisplayName())
%></h1>
<p>Tips:</p>
<ul>
@@ -62,13 +62,13 @@
<form action="<%= submitUrl %>" method="post" id="sessionsForm">
<fieldset><legend>Active HttpSessions informations</legend>
<input type="hidden" name="action" id="sessionsFormAction"
value="injectSessions"/>
- <input type="hidden" name="sort" id="sessionsFormSort" value="<%=
(String) request.getAttribute("sort") %>"/>
+ <input type="hidden" name="sort" id="sessionsFormSort" value="<%=
JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
<% String order = (String) request.getAttribute("order");
if (order == null || "".equals(order)) {
order = "ASC";
}
%>
- <input type="hidden" name="order" id="sessionsFormSortOrder"
value="<%= order %>"/>
+ <input type="hidden" name="order" id="sessionsFormSortOrder"
value="<%= JspHelper.escapeXml(order) %>"/>
<input type="submit" name="refresh" id="refreshButton" value="Refresh
Sessions list"
onclick="document.getElementById('sessionsFormAction').value='refreshSessions';
return true;"/>
<%= JspHelper.formatNumber(activeSessions.size()) %> active
Sessions<br/>
<table border="1" cellpadding="2" cellspacing="2" width="100%">
@@ -104,7 +104,7 @@
<% Iterator iter = activeSessions.iterator();
while (iter.hasNext()) {
Session currentSession = (Session) iter.next();
- String currentSessionId = currentSession.getId();
+ String currentSessionId = JspHelper.escapeXml(currentSession.getId());
String type;
if (currentSession instanceof DeltaSession) {
if (((DeltaSession) currentSession).isPrimarySession()) {
@@ -125,7 +125,7 @@
out.print(currentSessionId);
} else {
%>
- <a href="<%= submitUrl
%>&action=sessionDetail&sessionId=<%= currentSessionId
%>&sessionType=<%= type %>"><%= JspHelper.escapeXml(currentSessionId) %></a>
+ <a href="<%= submitUrl
%>&action=sessionDetail&sessionId=<%= currentSessionId
%>&sessionType=<%= type %>"><%= currentSessionId %></a>
<%
}
%>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
