svn commit: r513987 - in /portals/jetspeed-2/trunk: components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java src/webapp/WEB-INF/web.xml

Fri, 02 Mar 2007 14:07:07 -0800 

Author: ate
Date: Fri Mar  2 14:06:45 2007
New Revision: 513987

URL: http://svn.apache.org/viewvc?view=rev&rev=513987
Log:
Simple fix for blocking issue JS2-626: Cross-Site Scripting (XSS) vulnerability.
The reported vulnerability is now resolved: in case of such an attack, HTTP 
Status 400 (SC_BAD_REQUEST) will be returned.

Added:
    
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
   (with props)
Modified:
    portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml

Added: 
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
URL: 
http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java?view=auto&rev=513987
==============================================================================
--- 
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
 (added)
+++ 
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
 Fri Mar  2 14:06:45 2007
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2007 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the  "License"); 
+ * you may not use this file except in compliance with the License. 
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" 
+ * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 
implied. 
+ * See the License for the specific language governing permissions and 
+ * limitations under the License.
+ */
+package org.apache.jetspeed.engine.servlet;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Simple XXS Url attack protection blocking access whenever the request url 
contains a < or > character.
+ * @version $Id$
+ * 
+ */
+public class XXSUrlAttackFilter implements Filter
+{
+    public void init(FilterConfig config) throws ServletException
+    {
+    }
+
+    public void doFilter(ServletRequest request, ServletResponse response, 
FilterChain chain) throws IOException,
+            ServletException
+    {
+        if (request instanceof HttpServletRequest)
+        {
+            HttpServletRequest hreq = (HttpServletRequest) request;
+            if (isInvalid(hreq.getQueryString()) || 
isInvalid(hreq.getRequestURI()))
+            {
+                ((HttpServletResponse) 
response).sendError(HttpServletResponse.SC_BAD_REQUEST);
+            }
+        }
+        chain.doFilter(request, response);
+    }
+
+    private boolean isInvalid(String value)
+    {
+        return (value != null && (value.indexOf('<') != -1 || 
value.indexOf('>') != -1 || value.indexOf("%3e") != -1
+                || value.indexOf("%3c") != -1 || value.indexOf("%3E") != -1 || 
value.indexOf("%3E") != -1));
+    }
+
+    public void destroy()
+    {
+    }
+}

Propchange: 
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: 
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
------------------------------------------------------------------------------
    svn:keywords = Id

Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml
URL: 
http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml?view=diff&rev=513987&r1=513986&r2=513987
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml Fri Mar  2 14:06:45 2007
@@ -32,6 +32,11 @@
   </context-param>
       
   <filter>
+    <filter-name>XXSUrlAttackFilter</filter-name>
+    
<filter-class>org.apache.jetspeed.engine.servlet.XXSUrlAttackFilter</filter-class>
+  </filter>
+  
+  <filter>
       <filter-name>staticResourceCachingFilter</filter-name>
       
<filter-class>org.apache.jetspeed.engine.servlet.StaticResourceCachingFilter</filter-class>
       <init-param>
@@ -41,9 +46,15 @@
   </filter>
 
   <filter-mapping>
+    <filter-name>XXSUrlAttackFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>    
+  
+  <filter-mapping>
       <filter-name>staticResourceCachingFilter</filter-name>
       <servlet-name>default</servlet-name>
-  </filter-mapping>    
+  </filter-mapping>
+  
   <!--
   <filter>
     <filter-name>PortalFilter</filter-name>



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to