From add2d23ca7a43fe14d03a2b230aa99c2fd9a2ec2 Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Mon, 22 Nov 2010 17:19:07 +0000
Subject: [PATCH] Fix CVE-2010-4172. Multiple XSS in Manager web application

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1037778 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/catalina/manager/JspHelper.java |  2 +-
 webapps/docs/changelog.xml                      |  3 +++
 webapps/manager/WEB-INF/jsp/sessionDetail.jsp   | 13 ++++++-------
 webapps/manager/WEB-INF/jsp/sessionsList.jsp    | 18 +++++++++---------
 4 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/java/org/apache/catalina/manager/JspHelper.java b/java/org/apache/catalina/manager/JspHelper.java
index 80fdc77ab..b001339fa 100644
--- a/java/org/apache/catalina/manager/JspHelper.java
+++ b/java/org/apache/catalina/manager/JspHelper.java
@@ -54,7 +54,7 @@ public class JspHelper {
     }
     private static String localeToString(Locale locale) {
         if (locale != null) {
-            return locale.toString();//locale.getDisplayName();
+            return escapeXml(locale.toString());//locale.getDisplayName();
         } else {
             return "";
         }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9768b96eb..d54805abd 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -295,6 +295,9 @@
         <bug>50310</bug>: Fix display of Servlet information in Manager
         application. (markt)
       </fix>
+      <fix>
+        CVE-2010-4172: Multiple XSS in Manager application. (markt/kkolinko)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">
diff --git a/webapps/manager/WEB-INF/jsp/sessionDetail.jsp b/webapps/manager/WEB-INF/jsp/sessionDetail.jsp
index e61933023..2cef06629 100644
--- a/webapps/manager/WEB-INF/jsp/sessionDetail.jsp
+++ b/webapps/manager/WEB-INF/jsp/sessionDetail.jsp
@@ -33,10 +33,10 @@
    ContextName cn = new ContextName(path, version);
    Session currentSession = (Session)request.getAttribute("currentSession");
    HttpSession currentHttpSession = currentSession.getSession();
-   String currentSessionId = currentSession.getId();
-   String submitUrl = response.encodeURL(((HttpServletRequest)
-           pageContext.getRequest()).getRequestURI() + "?path=" + path +
-           "&version=" + version);
+   String currentSessionId = JspHelper.escapeXml(currentSession.getId());
+   String submitUrl = JspHelper.escapeXml(response.encodeURL(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path + "&version=" + version));
 %>
 <head>
     <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
@@ -50,7 +50,7 @@
     <title>Sessions Administration: details for <%= currentSessionId %></title>
 </head>
 <body>
-<h1>Details for Session <%= JspHelper.escapeXml(currentSessionId) %></h1>
+<h1>Details for Session <%= currentSessionId %></h1>
 
 <table style="text-align: left;" border="0">
   <tr>
@@ -142,7 +142,7 @@
                     <div>
                         <input type="hidden" name="action" value="removeSessionAttribute" />
                         <input type="hidden" name="sessionId" value="<%= currentSessionId %>" />
-                        <input type="hidden" name="attributeName" value="<%= attributeName %>" />
+                        <input type="hidden" name="attributeName" value="<%= JspHelper.escapeXml(attributeName) %>" />
                         <%
                           if ("Primary".equals(request.getParameter("sessionType"))) {
                         %>
@@ -165,7 +165,6 @@
 
 <form method="post" action="<%=submitUrl%>">
   <p style="text-align: center;">
-    <input type="hidden" name="path" value="<%= path %>" />
     <input type="submit" value="Return to session list" />
   </p>
 </form>
diff --git a/webapps/manager/WEB-INF/jsp/sessionsList.jsp b/webapps/manager/WEB-INF/jsp/sessionsList.jsp
index e56d8a6ac..5b666ef6a 100644
--- a/webapps/manager/WEB-INF/jsp/sessionsList.jsp
+++ b/webapps/manager/WEB-INF/jsp/sessionsList.jsp
@@ -31,9 +31,9 @@
 <% String path = (String) request.getAttribute("path");
    String version = (String) request.getAttribute("version");
    ContextName cn = new ContextName(path, version);
-   String submitUrl = response.encodeURL(((HttpServletRequest)
-           pageContext.getRequest()).getRequestURI() + "?path=" + path +
-           "&version=" + version);
+   String submitUrl = JspHelper.escapeXml(response.encodeURL(
+           ((HttpServletRequest) pageContext.getRequest()).getRequestURI() +
+           "?path=" + path + "&version=" + version));
    Collection activeSessions = (Collection) request.getAttribute("activeSessions");
 %>
 <head>
@@ -45,10 +45,10 @@
     <meta name="author" content="Cedrik LIME"/>
     <meta name="copyright" content="copyright 2005-2010 the Apache Software Foundation"/>
     <meta name="robots" content="noindex,nofollow,noarchive"/>
-    <title>Sessions Administration for <%= cn.getDisplayName() %></title>
+    <title>Sessions Administration for <%= JspHelper.escapeXml(cn.getDisplayName()) %></title>
 </head>
 <body>
-<h1>Sessions Administration for <%= cn.getDisplayName() %></h1>
+<h1>Sessions Administration for <%= JspHelper.escapeXml(cn.getDisplayName()) %></h1>
 
 <p>Tips:</p>
 <ul>
@@ -62,13 +62,13 @@
 <form action="<%= submitUrl %>" method="post" id="sessionsForm">
     <fieldset><legend>Active HttpSessions informations</legend>
         <input type="hidden" name="action" id="sessionsFormAction" value="injectSessions"/>
-        <input type="hidden" name="sort" id="sessionsFormSort" value="<%= (String) request.getAttribute("sort") %>"/>
+        <input type="hidden" name="sort" id="sessionsFormSort" value="<%= JspHelper.escapeXml(request.getAttribute("sort")) %>"/>
         <% String order = (String) request.getAttribute("order");
            if (order == null || "".equals(order)) {
                order = "ASC";
            }
         %>
-        <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= order %>"/>
+        <input type="hidden" name="order" id="sessionsFormSortOrder" value="<%= JspHelper.escapeXml(order) %>"/>
         <input type="submit" name="refresh" id="refreshButton" value="Refresh Sessions list" onclick="document.getElementById('sessionsFormAction').value='refreshSessions'; return true;"/>
         <%= JspHelper.formatNumber(activeSessions.size()) %> active Sessions<br/>
         <table border="1" cellpadding="2" cellspacing="2" width="100%">
@@ -104,7 +104,7 @@
 <% Iterator iter = activeSessions.iterator();
    while (iter.hasNext()) {
        Session currentSession = (Session) iter.next();
-       String currentSessionId = currentSession.getId();
+       String currentSessionId = JspHelper.escapeXml(currentSession.getId());
        String type;
        if (currentSession instanceof DeltaSession) {
            if (((DeltaSession) currentSession).isPrimarySession()) {
@@ -125,7 +125,7 @@
                             out.print(currentSessionId);
                         } else {
                       %>
-                      <a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>&amp;sessionType=<%= type %>"><%= JspHelper.escapeXml(currentSessionId) %></a>
+                      <a href="<%= submitUrl %>&amp;action=sessionDetail&amp;sessionId=<%= currentSessionId %>&amp;sessionType=<%= type %>"><%= currentSessionId %></a>
                       <%
                         }
                       %>
-- 
2.11.0