Hey Mark,

I really appreciate your reply.

I can't see anything in the revision that specifically states sanitization
however my Java isn't the best nor my software development with regards to
what a "Valve" would be responsible for. I suspect that worrying about XSS
at that level isn't a concern.

Is it safe to assume that when passing a string Message to
ServletException(message), that it can't be abused with embedded dangerous
characters? Or is it dependant on how the exception is displayed (i.e. the
template used for 500 errors)


On Thu, 17 May 2018 at 11:46 Mark Thomas <ma...@apache.org> wrote:

> On 17 May 2018 15:46:07 BST, Chris Bonk <bonk.ch...@gmail.com> wrote:
> >Hello,
> >
> >I have a strange issue, I am trying to track down the root cause for an
> >ancient CVE-2006-1548
> >
> >
> http://struts.1045723.n5.nabble.com/DO-NOT-REPLY-Bug-38749-New-XSS-vulnerability-in-LookupDispatchAction-td3510079.html
> >
> >I can replicate the XSS in Tomcat 4.0.6, however in Tomcat 6.0.37 the
> >html
> >characters needed to inject the script are properly encoded, what is
> >the
> >mechanism for this? I haven't been able to determine why
> >ServletException
> >handles the message parameter different between versioning.
> >
> >Can anyone point me in the right direction?
> Looks like the error handling was rewritten in 4.1.x.
> http://svn.apache.org/viewvc/tomcat/archive/tc4.1.x/trunk/container/catalina/src/share/org/apache/catalina/valves/ErrorReportValve.java?view=log
> 286679 looks relevant.
> I'm on my phone so checking further is tricky but I suspect this is one of
> those grey areas in the spec where it isn't clear if the webapp or the
> container is responsible for sanitizing the data.
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to