Fix CVE-2010-4172. Multiple XSS in Manager web application

author markt <markt@13f79535-47bb-0310-9956-ffa450edef68>

Mon, 22 Nov 2010 17:19:07 +0000 (17:19 +0000)

committer markt <markt@13f79535-47bb-0310-9956-ffa450edef68>

Mon, 22 Nov 2010 17:19:07 +0000 (17:19 +0000)
author markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Mon, 22 Nov 2010 17:19:07 +0000 (17:19 +0000)
committer markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Mon, 22 Nov 2010 17:19:07 +0000 (17:19 +0000)
diff --git a/java/org/apache/catalina/manager/JspHelper.java b/java/org/apache/catalina/manager/JspHelper.java

index 80fdc77..b001339 100644 (file)
--- a/java/org/apache/catalina/manager/JspHelper.java
+++ b/java/org/apache/catalina/manager/JspHelper.java
@@ -54,7 +54,7 @@ public class JspHelper {
      }
      private static String localeToString(Locale locale) {
          if (locale != null) {
-            return locale.toString();//locale.getDisplayName();
+            return escapeXml(locale.toString());//locale.getDisplayName();
          } else {
              return "";
          }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml

index 9768b96..d54805a 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -295,6 +295,9 @@
          <bug>50310</bug>: Fix display of Servlet information in Manager
          application. (markt)
        </fix>
+      <fix>
+        CVE-2010-4172: Multiple XSS in Manager application. (markt/kkolinko)
+      </fix>
      </changelog>
    </subsection>
    <subsection name="Other">
diff --git a/webapps/manager/WEB-INF/jsp/sessionDetail.jsp b/webapps/manager/WEB-INF/jsp/sessionDetail.jsp

index e619330..2cef066 100644 (file)
--- a/webapps/manager/WEB-INF/jsp/sessionDetail.jsp
+++ b/webapps/manager/WEB-INF/jsp/sessionDetail.jsp
@@ -33,10 +33,10 @@
     ContextName cn = new ContextName(path, version);
     Session currentSession = (Session)request.getAttribute("currentSession");
     HttpSession currentHttpSession = currentSession.getSession();
-   String currentSessionId = currentSession.getId();
-   String submitUrl = response.encodeURL(((HttpServletRequest)
-           pageContext.getRequest()).getRequestURI() + "?path=" + path +
-           "&version=" + version);
+   String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+   String submitUrl = JspHelper.escapeXml(response.encodeURL(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path + "&version=" + version));
  %>
  <head>
      <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
@@ -50,7 +50,7 @@
      <title>Sessions Administration: details for <%= currentSessionId %></title>
  </head>
  <body>
-<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
  
  <table style="text-align: left;" border="0">
    <tr>
@@ -142,7 +142,7 @@
                      <div>
                          <input type="hidden" name="action" value="removeSessionAttribute" />
                          <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
-                        <input type="hidden" name="attributeName" value="<%= attributeName %>" />
+                        <input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" />
                          <%
                            if ("Primary".equals(request.getParameter("sessionType"))) {
                          %>
@@ -165,7 +165,6 @@
  
  <form method="post" action="<%=submitUrl%>">
    <p style="text-align: center;">
-    <input type="hidden" name="path" value="<%= path %>" />
      <input type="submit" value="Return to session list" />
    </p>
  </form>
diff --git a/webapps/manager/WEB-INF/jsp/sessionsList.jsp b/webapps/manager/WEB-INF/jsp/sessionsList.jsp

index e56d8a6..5b666ef 100644 (file)
--- a/webapps/manager/WEB-INF/jsp/sessionsList.jsp
+++ b/webapps/manager/WEB-INF/jsp/sessionsList.jsp
@@ -31,9 +31,9 @@
  <% String path = (String) request.getAttribute("path");
     String version = (String) request.getAttribute("version");
     ContextName cn = new ContextName(path, version);
-   String submitUrl = response.encodeURL(((HttpServletRequest)
-           pageContext.getRequest()).getRequestURI() + "?path=" + path +
-           "&version=" + version);
+   String submitUrl = JspHelper.escapeXml(response.encodeURL(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path + "&version=" + version));
     Collection activeSessions = (Collection) request.getAttribute("activeSessions");
  %>
  <head>
@@ -45,10 +45,10 @@
      <meta name="author" content="Cedrik LIME"/>
      <meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
      <meta name="robots" content="noindex,nofollow,noarchive"/>
-    <title>Sessions Administration for <%= cn.getDisplayName() %></title>
+    <title>Sessions Administration for <%= JspHelper.escapeXml(cn.getDisplayName()) %></title>
  </head>
  <body>
-<h1>Sessions Administration for <%= cn.getDisplayName() %></h1>
+<h1>Sessions Administration for <%= JspHelper.escapeXml(cn.getDisplayName()) %></h1>
  
  <p>Tips:</p>
  <ul>
@@ -62,13 +62,13 @@
  <form action="<%= submitUrl %>" method="post" id="sessionsForm">
      <fieldset><legend>Active HttpSessions informations</legend>
          <input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
-        <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
+        <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
          <% String order = (String) request.getAttribute("order");
             if (order == null || "".equals(order)) {
                 order = "ASC";
             }
          %>
-        <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
+        <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
          <input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
          <%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
          <table border="1" cellpadding="2" cellspacing="2" width="100%">
@@ -104,7 +104,7 @@
  <% Iterator iter = activeSessions.iterator();
     while (iter.hasNext()) {
         Session currentSession = (Session) iter.next();
-       String currentSessionId = currentSession.getId();
+       String currentSessionId = JspHelper.escapeXml(currentSession.getId());
         String type;
         if (currentSession instanceof DeltaSession) {
             if (((DeltaSession) currentSession).isPrimarySession()) {
@@ -125,7 +125,7 @@
                              out.print(currentSessionId);
                          } else {
                        %>
-                      <a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>&amp;sessionType=<%= type %>"><%= JspHelper.escapeXml(currentSessionId) %></a>
+                      <a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>&amp;sessionType=<%= type %>"><%= currentSessionId %></a>
                        <%
                          }
                        %>
author	markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
	Mon, 22 Nov 2010 17:19:07 +0000 (17:19 +0000)
committer	markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
	Mon, 22 Nov 2010 17:19:07 +0000 (17:19 +0000)
java/org/apache/catalina/manager/JspHelper.java		patch \| blob \| history
webapps/docs/changelog.xml		patch \| blob \| history
webapps/manager/WEB-INF/jsp/sessionDetail.jsp		patch \| blob \| history
webapps/manager/WEB-INF/jsp/sessionsList.jsp		patch \| blob \| history