From 6e90b590e41cce05b0e9ef52ba5d958fc5b1e132 Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Sat, 7 Mar 2009 18:45:53 +0000
Subject: [PATCH] Add AddDefaultCharSetValve

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@751304 13f79535-47bb-0310-9956-ffa450edef68
---
 .../catalina/valves/AddDefaultCharsetValve.java    | 68 ++++++++++++++++++++++
 webapps/docs/config/valve.xml                      | 41 +++++++++++++
 2 files changed, 109 insertions(+)
 create mode 100644 java/org/apache/catalina/valves/AddDefaultCharsetValve.java

diff --git a/java/org/apache/catalina/valves/AddDefaultCharsetValve.java b/java/org/apache/catalina/valves/AddDefaultCharsetValve.java
new file mode 100644
index 000000000..c6e768052
--- /dev/null
+++ b/java/org/apache/catalina/valves/AddDefaultCharsetValve.java
@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.valves;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.apache.catalina.valves.ValveBase;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+
+/**
+ * Valve that explicitly sets the default character set for media subtypes of
+ * the "text" type to ISO-8859-1. RFC2616 explicitly states that browsers must
+ * use ISO-8859-1 in these circumstances. However, browsers may attempt to
+ * auto-detect the character set. This may be exploited by an attacker to
+ * perform an XSS attack. Internet Explorer has this behaviour by default. Other
+ * browsers have an option to enable it.
+ * 
+ * This valve prevents the attack by explicitly setting a character set. Unless
+ * the provided character set is explicitly overridden by the user - in which
+ * case they deserve everything they get - the browser will adhere to an
+ * explicitly set character set, thus preventing the XSS attack.
+ * 
+ * To use this valve add the following <code>&lt;Valve
+ * className="org.apache.catalina.valves.AddDefaultCharsetValve" /&gt;</code>
+ * to your <code>Engine</code>, <code>Host</code> or <code>Context</code> as
+ * required.
+ */
+
+public class AddDefaultCharsetValve
+    extends ValveBase {
+
+    /**
+     * Check for text/* and no character set and set charset to ISO-8859-1 in
+     * those circumstances.
+     */
+    public void invoke(Request request, Response response)
+        throws IOException, ServletException {
+
+        // Process the request first
+        getNext().invoke(request, response);
+
+        // Test once the response has been generated
+        String ct = response.getContentType();
+        if (ct != null && ct.startsWith("text/")) {
+            // Make sure the charset is explicitly set
+            response.setCharacterEncoding(response.getCharacterEncoding());
+        }
+    }
+
+}
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index 0c5e381c2..ef561a8b6 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -484,6 +484,47 @@
 </section>
 
 
+<section name="Add Default Character Set Valve">
+
+  <subsection name="Introduction">
+
+    <p>The HTTP specification is clear that if no character set is specified for
+    media sub-types of the "text" media type, the ISO-8859-1 character set must
+    be used. However, browsers may attempt to auto-detect the character set.
+    This may be exploited by an attacker to perform an XSS attack. Internet
+    Explorer has this behaviour by default. Other browsers have an option to
+    enable it.</p>
+    
+    <p>This valve prevents the attack by explicitly setting a character set.
+    Unless the provided character set is explicitly overridden by the user the
+    browser will adhere to the explicitly set character set, thus preventing the
+    XSS attack.</p>
+    
+    <p>This Valve may be used at the <code>Engine</code>, <code>Host</code> or
+    <code>Context</code> level as required. Normally, this Valve would be used
+    at the <code>Engine</code> level.</p>
+
+  </subsection>
+
+  <subsection name="Attributes">
+
+    <p>The <strong>Add Default Character Set Valve</strong> supports the
+    following configuration attributes:</p>
+
+    <attributes>
+
+      <attribute name="className" required="true">
+        <p>Java class name of the implementation to use.  This MUST be set to
+        <strong>org.apache.catalina.valves.AddDefaultCharsetValve</strong>.</p>
+      </attribute>
+
+    </attributes>
+
+  </subsection>
+
+</section>
+
+
 </body>
 
 
-- 
2.11.0