svn commit: r1602834 - in /tomcat/tc7.0.x/trunk: ./ test/util/ webapps/docs/changelog.xml webapps/examples/WEB-INF/classes/RequestHeaderExample.java webapps/examples/WEB-INF/classes/util/CookieFilter.java

[markt]

Author: markt
Date: Mon Jun 16 10:01:57 2014
New Revision: 1602834

URL: http://svn.apache.org/r1602834
Log:
Attempt to obfuscate session cookie values associated with other web 
applications when viewing HTTP request headers with the Request Header example 
from the examples web application. This reduces the opportunity to use this 
example for malicious purposes should the advice to remove the examples web 
application from security sensitive systems be ignored.

Added:
    tomcat/tc7.0.x/trunk/test/util/
      - copied from r1602831, tomcat/trunk/test/util/
    tomcat/tc7.0.x/trunk/webapps/examples/WEB-INF/classes/util/CookieFilter.java
      - copied unchanged from r1602831, 
tomcat/trunk/webapps/examples/WEB-INF/classes/util/CookieFilter.java
Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
    
tomcat/tc7.0.x/trunk/webapps/examples/WEB-INF/classes/RequestHeaderExample.java

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1602831

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1602834&r1=1602833&r2=1602834&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Jun 16 10:01:57 2014
@@ -178,6 +178,14 @@
         remove the examples web application from security sensitive systems be
         ignored. (markt/kkolinko)
       </fix>
+      <fix>
+        Attempt to obfuscate session cookie values associated with other web
+        applications when viewing HTTP request headers with the Request Header
+        example from the examples web application. This reduces the opportunity
+        to use this example for malicious purposes should the advice to remove
+        the examples web application from security sensitive systems be 
ignored.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>

Modified: 
tomcat/tc7.0.x/trunk/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/examples/WEB-INF/classes/RequestHeaderExample.java?rev=1602834&r1=1602833&r2=1602834&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/webapps/examples/WEB-INF/classes/RequestHeaderExample.java 
(original)
+++ 
tomcat/tc7.0.x/trunk/webapps/examples/WEB-INF/classes/RequestHeaderExample.java 
Mon Jun 16 10:01:57 2014
@@ -18,13 +18,16 @@
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.util.Enumeration;
+import java.util.Locale;
 import java.util.ResourceBundle;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
+import util.CookieFilter;
 import util.HTMLFilter;
 
 /**
@@ -77,7 +80,16 @@ public class RequestHeaderExample extend
             out.println("<tr><td bgcolor=\"#CCCCCC\">");
             out.println(HTMLFilter.filter(headerName));
             out.println("</td><td>");
-            out.println(HTMLFilter.filter(headerValue));
+            if (headerName.toLowerCase(Locale.ENGLISH).contains("cookie")) {
+                HttpSession session = request.getSession(false);
+                String sessionId = null;
+                if (session != null) {
+                    sessionId = session.getId();
+                }
+                out.println(HTMLFilter.filter(CookieFilter.filter(headerValue, 
sessionId)));
+            } else {
+                out.println(HTMLFilter.filter(headerValue));
+            }
             out.println("</td></tr>");
         }
         out.println("</table>");



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org