Author: pbenedict
Date: Thu Jun 19 18:52:54 2014
New Revision: 1603997
URL: http://svn.apache.org/r1603997
Log:
CVE-2008-2025
Modified:
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/FormTag.java
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/HtmlTag.java
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionTag.java
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsTag.java
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/RewriteTag.java
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/ResponseUtils.java
struts/struts1/trunk/faces/src/main/java/org/apache/struts/faces/taglib/JavascriptValidatorTag.java
Modified:
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
URL:
http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff
==============================================================================
---
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
(original)
+++
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
Thu Jun 19 18:52:54 2014
@@ -35,6 +35,7 @@ import org.apache.struts.taglib.TagUtils
import org.apache.struts.taglib.logic.IterateTag;
import org.apache.struts.util.MessageResources;
import org.apache.struts.util.RequestUtils;
+import org.apache.struts.util.ResponseUtils;
/**
* Base class for tags that render form elements capable of including
JavaScript
@@ -898,10 +899,13 @@ public abstract class BaseHandlerTag ext
*/
protected void prepareAttribute(StringBuffer handlers, String name, Object
value) {
if (value != null) {
+ if (name.indexOf('"') >= 0) {
+ throw new IllegalArgumentException("quote character in
attribute name");
+ }
handlers.append(" ");
handlers.append(name);
handlers.append("=\"");
- handlers.append(value);
+ handlers.append(ResponseUtils.filterIfQuote(value.toString()));
handlers.append("\"");
}
}
Modified:
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/FormTag.java
URL:
http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/FormTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff
==============================================================================
---
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/FormTag.java
(original)
+++
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/FormTag.java
Thu Jun 19 18:52:54 2014
@@ -37,6 +37,7 @@ import org.apache.struts.config.ModuleCo
import org.apache.struts.taglib.TagUtils;
import org.apache.struts.util.MessageResources;
import org.apache.struts.util.RequestUtils;
+import org.apache.struts.util.ResponseUtils;
/**
* Custom tag that represents an input form, associated with a bean whose
@@ -546,12 +547,11 @@ public class FormTag extends TagSupport
(HttpServletResponse) this.pageContext.getResponse();
results.append(" action=\"");
- results.append(
+ results.append(ResponseUtils.filterIfQuote(
response.encodeURL(
TagUtils.getInstance().getActionMappingURL(
this.action,
- this.pageContext)));
-
+ this.pageContext))));
results.append("\"");
}
@@ -580,7 +580,7 @@ public class FormTag extends TagSupport
results.append("<div><input type=\"hidden\" name=\"");
results.append(Constants.TOKEN_KEY);
results.append("\" value=\"");
- results.append(token);
+ results.append(ResponseUtils.filterIfQuote(token));
if (this.isXhtml()) {
results.append("\" />");
} else {
@@ -598,10 +598,13 @@ public class FormTag extends TagSupport
*/
protected void renderAttribute(StringBuffer results, String attribute,
String value) {
if (value != null) {
+ if (attribute.indexOf('"') >= 0) {
+ throw new IllegalArgumentException("quote character in
attribute name");
+ }
results.append(" ");
results.append(attribute);
results.append("=\"");
- results.append(value);
+ results.append(ResponseUtils.filterIfQuote(value));
results.append("\"");
}
}
Modified:
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/HtmlTag.java
URL:
http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/HtmlTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff
==============================================================================
---
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/HtmlTag.java
(original)
+++
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/HtmlTag.java
Thu Jun 19 18:52:54 2014
@@ -29,6 +29,7 @@ import javax.servlet.jsp.tagext.TagSuppo
import org.apache.struts.Globals;
import org.apache.struts.taglib.TagUtils;
import org.apache.struts.util.MessageResources;
+import org.apache.struts.util.ResponseUtils;
/**
* Renders an HTML <html> element with appropriate language attributes if
@@ -151,20 +152,20 @@ public class HtmlTag extends TagSupport
if ((this.lang || this.locale || this.xhtml) && validLanguage) {
sb.append(" lang=\"");
- sb.append(language);
+ sb.append(ResponseUtils.filterIfQuote(language));
if (validCountry) {
sb.append("-");
- sb.append(country);
+ sb.append(ResponseUtils.filterIfQuote(country));
}
sb.append("\"");
}
if (this.xhtml && validLanguage) {
sb.append(" xml:lang=\"");
- sb.append(language);
+ sb.append(ResponseUtils.filterIfQuote(language));
if (validCountry) {
sb.append("-");
- sb.append(country);
+ sb.append(ResponseUtils.filterIfQuote(country));
}
sb.append("\"");
}
Modified:
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
URL:
http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff
==============================================================================
---
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
(original)
+++
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
Thu Jun 19 18:52:54 2014
@@ -46,6 +46,7 @@ import org.apache.struts.action.ActionMa
import org.apache.struts.config.ModuleConfig;
import org.apache.struts.taglib.TagUtils;
import org.apache.struts.util.MessageResources;
+import org.apache.struts.util.ResponseUtils;
import org.apache.struts.validator.Resources;
import org.apache.struts.validator.ValidatorPlugIn;
@@ -850,7 +851,7 @@ public class JavascriptValidatorTag exte
}
if (this.src != null) {
- start.append(" src=\"" + src + "\"");
+ start.append(" src=\"" + ResponseUtils.filterIfQuote(src) + "\"");
}
start.append("> \n");
Modified:
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionTag.java
URL:
http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff
==============================================================================
---
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionTag.java
(original)
+++
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionTag.java
Thu Jun 19 18:52:54 2014
@@ -26,6 +26,7 @@ import javax.servlet.jsp.tagext.BodyTagS
import org.apache.struts.Globals;
import org.apache.struts.taglib.TagUtils;
import org.apache.struts.util.MessageResources;
+import org.apache.struts.util.ResponseUtils;
/**
* Tag for select options. The body of this tag is presented to the user
@@ -235,7 +236,7 @@ public class OptionTag extends BodyTagSu
protected String renderOptionElement() throws JspException {
StringBuffer results = new StringBuffer("<option value=\"");
- results.append(this.value);
+ results.append(ResponseUtils.filterIfQuote(this.value));
results.append("\"");
if (disabled) {
results.append(" disabled=\"disabled\"");
@@ -245,17 +246,17 @@ public class OptionTag extends BodyTagSu
}
if (style != null) {
results.append(" style=\"");
- results.append(style);
+ results.append(ResponseUtils.filterIfQuote(style));
results.append("\"");
}
if (styleId != null) {
results.append(" id=\"");
- results.append(styleId);
+ results.append(ResponseUtils.filterIfQuote(styleId));
results.append("\"");
}
if (styleClass != null) {
results.append(" class=\"");
- results.append(styleClass);
+ results.append(ResponseUtils.filterIfQuote(styleClass));
results.append("\"");
}
results.append(">");
Modified:
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
URL:
http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff
==============================================================================
---
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
(original)
+++
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
Thu Jun 19 18:52:54 2014
@@ -32,6 +32,7 @@ import org.apache.commons.beanutils.Prop
import org.apache.struts.util.IteratorAdapter;
import org.apache.struts.taglib.TagUtils;
import org.apache.struts.util.MessageResources;
+import org.apache.struts.util.ResponseUtils;
/**
* Tag for creating multiple <select> options from a collection. The
@@ -291,7 +292,7 @@ public class OptionsCollectionTag extend
if (filter) {
sb.append(TagUtils.getInstance().filter(value));
} else {
- sb.append(value);
+ sb.append(ResponseUtils.filterIfQuote(value));
}
sb.append("\"");
if (matched) {
@@ -299,12 +300,12 @@ public class OptionsCollectionTag extend
}
if (style != null) {
sb.append(" style=\"");
- sb.append(style);
+ sb.append(ResponseUtils.filterIfQuote(style));
sb.append("\"");
}
if (styleClass != null) {
sb.append(" class=\"");
- sb.append(styleClass);
+ sb.append(ResponseUtils.filterIfQuote(styleClass));
sb.append("\"");
}
@@ -313,7 +314,7 @@ public class OptionsCollectionTag extend
if (filter) {
sb.append(TagUtils.getInstance().filter(label));
} else {
- sb.append(label);
+ sb.append(ResponseUtils.filterIfQuote(label));
}
sb.append("</option>\r\n");
Modified:
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsTag.java
URL:
http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff
==============================================================================
---
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsTag.java
(original)
+++
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/OptionsTag.java
Thu Jun 19 18:52:54 2014
@@ -32,6 +32,7 @@ import org.apache.commons.beanutils.Prop
import org.apache.struts.util.IteratorAdapter;
import org.apache.struts.taglib.TagUtils;
import org.apache.struts.util.MessageResources;
+import org.apache.struts.util.ResponseUtils;
/**
* Tag for creating multiple <select> options from a collection. The
@@ -313,7 +314,7 @@ public class OptionsTag extends TagSuppo
if (filter) {
sb.append(TagUtils.getInstance().filter(value));
} else {
- sb.append(value);
+ sb.append(ResponseUtils.filterIfQuote(value));
}
sb.append("\"");
if (matched) {
@@ -321,12 +322,12 @@ public class OptionsTag extends TagSuppo
}
if (style != null) {
sb.append(" style=\"");
- sb.append(style);
+ sb.append(ResponseUtils.filterIfQuote(style));
sb.append("\"");
}
if (styleClass != null) {
sb.append(" class=\"");
- sb.append(styleClass);
+ sb.append(ResponseUtils.filterIfQuote(styleClass));
sb.append("\"");
}
@@ -335,7 +336,7 @@ public class OptionsTag extends TagSuppo
if (filter) {
sb.append(TagUtils.getInstance().filter(label));
} else {
- sb.append(label);
+ sb.append(ResponseUtils.filterIfQuote(label));
}
sb.append("</option>\r\n");
Modified:
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/RewriteTag.java
URL:
http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/RewriteTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff
==============================================================================
---
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/RewriteTag.java
(original)
+++
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/taglib/html/RewriteTag.java
Thu Jun 19 18:52:54 2014
@@ -23,6 +23,7 @@ import java.util.Map;
import javax.servlet.jsp.JspException;
+import org.apache.struts.util.ResponseUtils;
import org.apache.struts.taglib.TagUtils;
/**
@@ -72,7 +73,8 @@ public class RewriteTag extends LinkTag
(messages.getMessage("rewrite.url", e.toString()));
}
- TagUtils.getInstance().write(pageContext, url);
+ TagUtils.getInstance().write(pageContext,
+ ResponseUtils.filterIfQuote(url));
return (SKIP_BODY);
Modified:
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/ResponseUtils.java
URL:
http://svn.apache.org/viewvc/struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/ResponseUtils.java?rev=1603997&r1=1603996&r2=1603997&view=diff
==============================================================================
---
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/ResponseUtils.java
(original)
+++
struts/struts1/branches/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/ResponseUtils.java
Thu Jun 19 18:52:54 2014
@@ -220,5 +220,36 @@ public class ResponseUtils {
}
-
+ /**
+ * Replace double-quote characters in the input string with
+ * proper HTML encoding.
+ *
+ * No other HTML-encoding is performed. As a result, the return value
+ * can only be safely used in (X)HTML attributes surrounded by
+ * double-quote characters (<code>"</code>).
+ *
+ * <p>Note that you should not use this function in new code.
+ * It is only intended for old code which needs to be
+ * backwards-compatible with incompletely-quoted attributes.
+ *
+ * @return a fresh string object if quoting is needed,
+ * otherwise the input string
+ */
+ public static String filterIfQuote(String value) {
+ if (value == null)
+ return null;
+ if (value.indexOf('"') >= 0) {
+ StringBuffer sb = new StringBuffer(value.length() + 2);
+ for (int i = 0; i < value.length(); ++i) {
+ final char ch = value.charAt(i);
+ if (ch == '"')
+ sb.append(""");
+ else
+ sb.append(ch);
+ }
+ return sb.toString();
+ }
+ return value;
+ }
+
}
Modified:
struts/struts1/trunk/faces/src/main/java/org/apache/struts/faces/taglib/JavascriptValidatorTag.java
URL:
http://svn.apache.org/viewvc/struts/struts1/trunk/faces/src/main/java/org/apache/struts/faces/taglib/JavascriptValidatorTag.java?rev=1603997&r1=1603996&r2=1603997&view=diff
==============================================================================
---
struts/struts1/trunk/faces/src/main/java/org/apache/struts/faces/taglib/JavascriptValidatorTag.java
(original)
+++
struts/struts1/trunk/faces/src/main/java/org/apache/struts/faces/taglib/JavascriptValidatorTag.java
Thu Jun 19 18:52:54 2014
@@ -53,6 +53,7 @@ import org.apache.struts.faces.component
import org.apache.struts.taglib.TagUtils;
import org.apache.struts.util.MessageResources;
import org.apache.struts.util.ModuleUtils;
+import org.apache.struts.util.ResponseUtils;
import org.apache.struts.validator.Resources;
import org.apache.struts.validator.ValidatorPlugIn;
@@ -711,7 +712,7 @@ public class JavascriptValidatorTag exte
}
if (this.src != null) {
- start.append(" src=\"" + src + "\"");
+ start.append(" src=\"" + ResponseUtils.filterIfQuote(src) + "\"");
}
start.append("> \n");
