svn commit: r1630063 - in /tomcat/trunk: res/findbugs/filter-false-positives.xml test/org/apache/tomcat/util/http/TestCookieParsing.java

Wed, 08 Oct 2014 03:27:13 -0700 

Author: markt
Date: Wed Oct  8 10:26:37 2014
New Revision: 1630063

URL: http://svn.apache.org/r1630063
Log:
FindBugs. Ignore a false positive. Add a warning to the code in case someone 
copies this test code for a real app.

Modified:
    tomcat/trunk/res/findbugs/filter-false-positives.xml
    tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java

Modified: tomcat/trunk/res/findbugs/filter-false-positives.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/res/findbugs/filter-false-positives.xml?rev=1630063&r1=1630062&r2=1630063&view=diff
==============================================================================
--- tomcat/trunk/res/findbugs/filter-false-positives.xml (original)
+++ tomcat/trunk/res/findbugs/filter-false-positives.xml Wed Oct  8 10:26:37 
2014
@@ -525,6 +525,7 @@
     <Bug code="RCN" />
   </Match>
 
+
   <!-- Test code -->
   <Match>
     <!-- Code is deliberately unused -->
@@ -670,6 +671,11 @@
     <Bug code="ST" />
   </Match>
   <Match>
+    <Class 
name="org.apache.tomcat.util.http.TestCookieParsing$EchoCookieHeader"/>
+    <Method name="service"/>
+    <Bug pattern="XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER"/>
+  </Match>
+  <Match>
     <!-- Return value of latch is intentionally ignored -->
     <Or>
       <Class name="org.apache.tomcat.websocket.TestWebSocketFrameClient"/>

Modified: tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java?rev=1630063&r1=1630062&r2=1630063&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java 
(original)
+++ tomcat/trunk/test/org/apache/tomcat/util/http/TestCookieParsing.java Wed 
Oct  8 10:26:37 2014
@@ -322,6 +322,7 @@ public class TestCookieParsing extends T
         protected void service(HttpServletRequest req, HttpServletResponse 
resp)
         throws ServletException, IOException {
             req.getCookies();
+            // Never do this in production code. It triggers an XSS.
             resp.getWriter().write(req.getHeader("Cookie"));
             resp.flushBuffer();
         }



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to