Author: taylor
Date: Fri Jul 24 01:20:24 2020
New Revision: 1880230
URL: http://svn.apache.org/viewvc?rev=1880230&view=rev
Log:
strengthening XXS filters
Modified:
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
Modified:
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
URL:
http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java?rev=1880230&r1=1880229&r2=1880230&view=diff
==============================================================================
---
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
(original)
+++
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
Fri Jul 24 01:20:24 2020
@@ -65,11 +65,11 @@ public class XXSUrlAttackFilter implemen
{
if (xssRequestEnabled) {
HttpServletRequest hreq = (HttpServletRequest) request;
- if (isInvalid(hreq.getQueryString())) {
+ if (isInvalidQuery(hreq.getQueryString())) {
log.error("XSS attack query string found: " +
hreq.getQueryString());
((HttpServletResponse)
response).sendError(HttpServletResponse.SC_BAD_REQUEST);
}
- if (isInvalid(hreq.getRequestURI())) {
+ if (isInvalidUri(hreq.getRequestURI())) {
log.error("XSS attack URI found: " + hreq.getRequestURI());
((HttpServletResponse)
response).sendError(HttpServletResponse.SC_BAD_REQUEST);
}
@@ -83,7 +83,36 @@ public class XXSUrlAttackFilter implemen
}
}
- private boolean isInvalid(String value)
+ private boolean isInvalidQuery(String value)
+ {
+ if (value == null) {
+ return false;
+ }
+
+ // watch for invalid characters
+ if (value.indexOf('<') != -1 || value.indexOf('>') != -1 ||
value.indexOf("%3C") != -1
+ || value.indexOf("%3c") != -1 ||
value.indexOf("%3E") != -1 || value.indexOf("%3e") != -1
+ || value.indexOf("//") != -1) {
+ return true;
+ }
+
+ // catch
'jspage=/responsive/my-account2.psml%22;alert(/xss/);%22'
+ String[] parts = value.split("&");
+ for (String part : parts) {
+ String queryValue =
part.split("=")[1].replaceAll("%22", "\"");
+ if (queryValue.matches("^\"(.*)\"$")) {
+ // properly quoted query value
+ } else if (queryValue.indexOf('"') != -1) {
+ // something fishy
+ return true;
+ }
+ }
+
+ // looks valid to me
+ return false;
+ }
+
+ private boolean isInvalidUri(String value)
{
return (value != null && (value.indexOf('<') != -1 ||
value.indexOf('>') != -1 || value.indexOf("%3C") != -1
|| value.indexOf("%3c") != -1 || value.indexOf("%3E") != -1 ||
value.indexOf("%3e") != -1));
Modified:
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
URL:
http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties?rev=1880230&r1=1880229&r2=1880230&view=diff
==============================================================================
---
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
(original)
+++
portals/jetspeed-2/portal/trunk/jetspeed-portal-resources/src/main/resources/conf/jetspeed/jetspeed.properties
Fri Jul 24 01:20:24 2020
@@ -448,7 +448,7 @@ preferences.user.enable = true
# since 2.3.0
#-------------------------------------------------------------------------
xss.filter.request = true
-xss.filter.post = false
+xss.filter.post = true
xss.filter.regexes = <script>(.*?)</script>
xss.filter.flags = 2
xss.filter.regexes = </script>
@@ -465,6 +465,8 @@ xss.filter.regexes = eval\\((.*?)\\)
xss.filter.flags = 2 | 8 | 32
xss.filter.regexes = expression\\((.*?)\\)
xss.filter.flags = 2 | 8 | 32
+xss.filter.regexes = http(s?)://127.0.0.1
+xss.filter.flags = 2 | 8 | 32
#-------------------------------------------------------------------------
# Auto Refresh
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
