From eab985685d887e98205fa178367c59d0ac07f04d Mon Sep 17 00:00:00 2001 From: markt Date: Mon, 23 Mar 2009 21:39:48 +0000 Subject: [PATCH] Use a filter rather than a valve to add a default character set. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@757557 13f79535-47bb-0310-9956-ffa450edef68 --- .../catalina/filters/AddDefaultCharsetFilter.java | 94 ++++++++++++++++++++++ .../catalina/valves/AddDefaultCharsetValve.java | 68 ---------------- webapps/docs/config/filters.xml | 90 +++++++++++++++++++++ webapps/docs/config/project.xml | 1 + 4 files changed, 185 insertions(+), 68 deletions(-) create mode 100644 java/org/apache/catalina/filters/AddDefaultCharsetFilter.java delete mode 100644 java/org/apache/catalina/valves/AddDefaultCharsetValve.java create mode 100644 webapps/docs/config/filters.xml diff --git a/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java b/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java new file mode 100644 index 000000000..f1ae36d63 --- /dev/null +++ b/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java @@ -0,0 +1,94 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.catalina.filters; + + +import java.io.IOException; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpServletResponseWrapper; + + +/** + * Filter that explicitly sets the default character set for media subtypes of + * the "text" type to ISO-8859-1. RFC2616 explicitly states that browsers must + * use ISO-8859-1 in these circumstances. However, browsers may attempt to + * auto-detect the character set. This may be exploited by an attacker to + * perform an XSS attack. Internet Explorer has this behaviour by default. Other + * browsers have an option to enable it. + * + * This filter prevents the attack by explicitly setting a character set. Unless + * the provided character set is explicitly overridden by the user - in which + * case they deserve everything they get - the browser will adhere to an + * explicitly set character set, thus preventing the XSS attack. + */ +public class AddDefaultCharsetFilter implements Filter { + + public void destroy() { + // NOOP + } + + public void doFilter(ServletRequest request, ServletResponse response, + FilterChain chain) throws IOException, ServletException { + + // Wrap the response + if (response instanceof HttpServletResponse) { + ResponseWrapper wrapped = + new ResponseWrapper((HttpServletResponse)response); + chain.doFilter(request, wrapped); + } else { + chain.doFilter(request, response); + } + } + + public void init(FilterConfig filterConfig) throws ServletException { + // NOOP + } + + /** + * Wrapper that adds the default character set for text media types if no + * character set is specified. + */ + public class ResponseWrapper extends HttpServletResponseWrapper { + + @Override + public void setContentType(String ct) { + + if (ct != null && ct.startsWith("text/") && + ct.indexOf("charset=") < 0) { + // Use getCharacterEncoding() in case the charset has already + // been set by a separate call. + super.setContentType(ct + ";charset=" + getCharacterEncoding()); + } else { + super.setContentType(ct); + } + + } + + public ResponseWrapper(HttpServletResponse response) { + super(response); + } + + } +} diff --git a/java/org/apache/catalina/valves/AddDefaultCharsetValve.java b/java/org/apache/catalina/valves/AddDefaultCharsetValve.java deleted file mode 100644 index c6e768052..000000000 --- a/java/org/apache/catalina/valves/AddDefaultCharsetValve.java +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.catalina.valves; - -import java.io.IOException; - -import javax.servlet.ServletException; - -import org.apache.catalina.valves.ValveBase; -import org.apache.catalina.connector.Request; -import org.apache.catalina.connector.Response; - -/** - * Valve that explicitly sets the default character set for media subtypes of - * the "text" type to ISO-8859-1. RFC2616 explicitly states that browsers must - * use ISO-8859-1 in these circumstances. However, browsers may attempt to - * auto-detect the character set. This may be exploited by an attacker to - * perform an XSS attack. Internet Explorer has this behaviour by default. Other - * browsers have an option to enable it. - * - * This valve prevents the attack by explicitly setting a character set. Unless - * the provided character set is explicitly overridden by the user - in which - * case they deserve everything they get - the browser will adhere to an - * explicitly set character set, thus preventing the XSS attack. - * - * To use this valve add the following <Valve - * className="org.apache.catalina.valves.AddDefaultCharsetValve" /> - * to your Engine, Host or Context as - * required. - */ - -public class AddDefaultCharsetValve - extends ValveBase { - - /** - * Check for text/* and no character set and set charset to ISO-8859-1 in - * those circumstances. - */ - public void invoke(Request request, Response response) - throws IOException, ServletException { - - // Process the request first - getNext().invoke(request, response); - - // Test once the response has been generated - String ct = response.getContentType(); - if (ct != null && ct.startsWith("text/")) { - // Make sure the charset is explicitly set - response.setCharacterEncoding(response.getCharacterEncoding()); - } - } - -} diff --git a/webapps/docs/config/filters.xml b/webapps/docs/config/filters.xml new file mode 100644 index 000000000..462c055ab --- /dev/null +++ b/webapps/docs/config/filters.xml @@ -0,0 +1,90 @@ + + + +]> + + + &project; + + + Container Provided Filters + + + + + +
+ +

Tomcat provides a number of Filters which may be + configured for use with all web applications using + $CATALINA_BASE/conf/web.xml or may be configured for individual + web applications by configuring them in the application's + WEB-INF/web.xml. Each filter is described below.

+ +
+

This description uses the variable name $CATALINA_BASE to refer the + base directory against which most relative paths are resolved. If you have + not configured Tomcat for multiple instances by setting a CATALINA_BASE + directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME, + the directory into which you have installed Tomcat.

+
+ +
+ + +
+ + + +

The HTTP specification is clear that if no character set is specified for + media sub-types of the "text" media type, the ISO-8859-1 character set must + be used. However, browsers may attempt to auto-detect the character set. + This may be exploited by an attacker to perform an XSS attack. Internet + Explorer has this behaviour by default. Other browsers have an option to + enable it.

+ +

This filter prevents the attack by explicitly setting a character set. + Unless the provided character set is explicitly overridden by the user the + browser will adhere to the explicitly set character set, thus preventing the + XSS attack.

+ + + + + +

The filter class name for the Add Default Character Set Filter is + org.apache.catalina.filters.AddDefaultCharsetFilter + .

+ + + + + +

The Add Default Character Set Filter does not support any initialisation + parameters

+ + + +
+ + + + + + diff --git a/webapps/docs/config/project.xml b/webapps/docs/config/project.xml index 05a6ec9fe..da265cabf 100644 --- a/webapps/docs/config/project.xml +++ b/webapps/docs/config/project.xml @@ -61,6 +61,7 @@ + -- 2.11.0