Re: svn commit: r1337741 - /tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java
On 13/05/2012 00:56, kkoli...@apache.org wrote: Author: kkolinko Date: Sat May 12 23:56:13 2012 New Revision: 1337741 URL: http://svn.apache.org/viewvc?rev=1337741view=rev Log: Pass all string values through the filter in RequestInfoExample servlet. Those values were not passed through the filter since it is not possible for them to have values that need filtering. For example, if method contains HTML it will never get as far as the Servlet since it is not a valid request. The same for scheme. Remote address and cipher suite are provided via APIs that always return safe values. Mark Modified: tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java Modified: tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java?rev=1337741r1=1337740r2=1337741view=diff == --- tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java (original) +++ tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java Sat May 12 23:56:13 2012 @@ -75,7 +75,7 @@ public class RequestInfoExample extends out.println(table border=0trtd); out.println(RB.getString(requestinfo.label.method)); out.println(/tdtd); -out.println(request.getMethod()); +out.println(HTMLFilter.filter(request.getMethod())); out.println(/td/trtrtd); out.println(RB.getString(requestinfo.label.requesturi)); out.println(/tdtd); @@ -83,7 +83,7 @@ public class RequestInfoExample extends out.println(/td/trtrtd); out.println(RB.getString(requestinfo.label.protocol)); out.println(/tdtd); -out.println(request.getProtocol()); +out.println(HTMLFilter.filter(request.getProtocol())); out.println(/td/trtrtd); out.println(RB.getString(requestinfo.label.pathinfo)); out.println(/tdtd); @@ -91,7 +91,7 @@ public class RequestInfoExample extends out.println(/td/trtrtd); out.println(RB.getString(requestinfo.label.remoteaddr)); out.println(/tdtd); -out.println(request.getRemoteAddr()); +out.println(HTMLFilter.filter(request.getRemoteAddr())); out.println(/td/tr); String cipherSuite= @@ -100,7 +100,7 @@ public class RequestInfoExample extends out.println(trtd); out.println(SSLCipherSuite:); out.println(/tdtd); -out.println(cipherSuite); +out.println(HTMLFilter.filter(cipherSuite)); out.println(/td/tr); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1337741 - /tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java
2012/5/13 Mark Thomas ma...@apache.org: On 13/05/2012 00:56, kkoli...@apache.org wrote: Author: kkolinko Date: Sat May 12 23:56:13 2012 New Revision: 1337741 URL: http://svn.apache.org/viewvc?rev=1337741view=rev Log: Pass all string values through the filter in RequestInfoExample servlet. Those values were not passed through the filter since it is not possible for them to have values that need filtering. For example, if method contains HTML it will never get as far as the Servlet since it is not a valid request. The same for scheme. Remote address and cipher suite are provided via APIs that always return safe values. If there is (mis)configured RemoteIpValve it can inject random values into those attributes. I was more concerned that I do not remember what are constraints on cipherSuite value. Thus I went with filtering, to get correct HTML in the output, like in r1337745. snoop.jsp already filters all values, so it is for consistency as well. Best regards, Konstantin Kolinko Modified: tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java Modified: tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java?rev=1337741r1=1337740r2=1337741view=diff == --- tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java (original) +++ tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java Sat May 12 23:56:13 2012 @@ -75,7 +75,7 @@ public class RequestInfoExample extends out.println(table border=0trtd); out.println(RB.getString(requestinfo.label.method)); out.println(/tdtd); - out.println(request.getMethod()); + out.println(HTMLFilter.filter(request.getMethod())); out.println(/td/trtrtd); out.println(RB.getString(requestinfo.label.requesturi)); out.println(/tdtd); @@ -83,7 +83,7 @@ public class RequestInfoExample extends out.println(/td/trtrtd); out.println(RB.getString(requestinfo.label.protocol)); out.println(/tdtd); - out.println(request.getProtocol()); + out.println(HTMLFilter.filter(request.getProtocol())); out.println(/td/trtrtd); out.println(RB.getString(requestinfo.label.pathinfo)); out.println(/tdtd); @@ -91,7 +91,7 @@ public class RequestInfoExample extends out.println(/td/trtrtd); out.println(RB.getString(requestinfo.label.remoteaddr)); out.println(/tdtd); - out.println(request.getRemoteAddr()); + out.println(HTMLFilter.filter(request.getRemoteAddr())); out.println(/td/tr); String cipherSuite= @@ -100,7 +100,7 @@ public class RequestInfoExample extends out.println(trtd); out.println(SSLCipherSuite:); out.println(/tdtd); - out.println(cipherSuite); + out.println(HTMLFilter.filter(cipherSuite)); out.println(/td/tr); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1337741 - /tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java
Author: kkolinko Date: Sat May 12 23:56:13 2012 New Revision: 1337741 URL: http://svn.apache.org/viewvc?rev=1337741view=rev Log: Pass all string values through the filter in RequestInfoExample servlet. Modified: tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java Modified: tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java?rev=1337741r1=1337740r2=1337741view=diff == --- tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java (original) +++ tomcat/trunk/webapps/examples/WEB-INF/classes/RequestInfoExample.java Sat May 12 23:56:13 2012 @@ -75,7 +75,7 @@ public class RequestInfoExample extends out.println(table border=0trtd); out.println(RB.getString(requestinfo.label.method)); out.println(/tdtd); -out.println(request.getMethod()); +out.println(HTMLFilter.filter(request.getMethod())); out.println(/td/trtrtd); out.println(RB.getString(requestinfo.label.requesturi)); out.println(/tdtd); @@ -83,7 +83,7 @@ public class RequestInfoExample extends out.println(/td/trtrtd); out.println(RB.getString(requestinfo.label.protocol)); out.println(/tdtd); -out.println(request.getProtocol()); +out.println(HTMLFilter.filter(request.getProtocol())); out.println(/td/trtrtd); out.println(RB.getString(requestinfo.label.pathinfo)); out.println(/tdtd); @@ -91,7 +91,7 @@ public class RequestInfoExample extends out.println(/td/trtrtd); out.println(RB.getString(requestinfo.label.remoteaddr)); out.println(/tdtd); -out.println(request.getRemoteAddr()); +out.println(HTMLFilter.filter(request.getRemoteAddr())); out.println(/td/tr); String cipherSuite= @@ -100,7 +100,7 @@ public class RequestInfoExample extends out.println(trtd); out.println(SSLCipherSuite:); out.println(/tdtd); -out.println(cipherSuite); +out.println(HTMLFilter.filter(cipherSuite)); out.println(/td/tr); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org