2012/5/13 Mark Thomas <ma...@apache.org>: > On 13/05/2012 00:56, kkoli...@apache.org wrote: >> Author: kkolinko >> Date: Sat May 12 23:56:13 2012 >> New Revision: 1337741 >> >> URL: http://svn.apache.org/viewvc?rev=1337741&view=rev >> Log: >> Pass all string values through the filter in RequestInfoExample servlet. > > Those values were not passed through the filter since it is not possible > for them to have values that need filtering. > > For example, if method contains HTML it will never get as far as the > Servlet since it is not a valid request. The same for scheme. > > Remote address and cipher suite are provided via APIs that always return > safe values. >
If there is (mis)configured RemoteIpValve it can inject random values into those attributes. I was more concerned that I do not remember what are constraints on cipherSuite value. Thus I went with filtering, to get correct HTML in the output, like in r1337745. snoop.jsp already filters all values, so it is for consistency as well. Best regards, Konstantin Kolinko >> >> Modified: >> tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java >> >> Modified: >> tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java?rev=1337741&r1=1337740&r2=1337741&view=diff >> ============================================================================== >> --- tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java >> (original) >> +++ tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java >> Sat May 12 23:56:13 2012 >> @@ -75,7 +75,7 @@ public class RequestInfoExample extends >> out.println("<table border=0><tr><td>"); >> out.println(RB.getString("requestinfo.label.method")); >> out.println("</td><td>"); >> - out.println(request.getMethod()); >> + out.println(HTMLFilter.filter(request.getMethod())); >> out.println("</td></tr><tr><td>"); >> out.println(RB.getString("requestinfo.label.requesturi")); >> out.println("</td><td>"); >> @@ -83,7 +83,7 @@ public class RequestInfoExample extends >> out.println("</td></tr><tr><td>"); >> out.println(RB.getString("requestinfo.label.protocol")); >> out.println("</td><td>"); >> - out.println(request.getProtocol()); >> + out.println(HTMLFilter.filter(request.getProtocol())); >> out.println("</td></tr><tr><td>"); >> out.println(RB.getString("requestinfo.label.pathinfo")); >> out.println("</td><td>"); >> @@ -91,7 +91,7 @@ public class RequestInfoExample extends >> out.println("</td></tr><tr><td>"); >> out.println(RB.getString("requestinfo.label.remoteaddr")); >> out.println("</td><td>"); >> - out.println(request.getRemoteAddr()); >> + out.println(HTMLFilter.filter(request.getRemoteAddr())); >> out.println("</td></tr>"); >> >> String cipherSuite= >> @@ -100,7 +100,7 @@ public class RequestInfoExample extends >> out.println("<tr><td>"); >> out.println("SSLCipherSuite:"); >> out.println("</td><td>"); >> - out.println(cipherSuite); >> + out.println(HTMLFilter.filter(cipherSuite)); >> out.println("</td></tr>"); >> } >> >> >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org