diff options
author | Greg Wilkins | 2009-07-01 00:48:11 +0000 |
---|---|---|
committer | Greg Wilkins | 2009-07-01 00:48:11 +0000 |
commit | 73d67b02872169fef81d574d748da8075c2a46f9 (patch) | |
tree | 9ecbf207934f9feaef9d53ba3d69f7382de7fbbe | |
parent | a8574969b9a789e759af7bc9770fa2f90405412a (diff) | |
download | org.eclipse.jetty.project-73d67b02872169fef81d574d748da8075c2a46f9.tar.gz org.eclipse.jetty.project-73d67b02872169fef81d574d748da8075c2a46f9.tar.xz org.eclipse.jetty.project-73d67b02872169fef81d574d748da8075c2a46f9.zip |
JETTY-1057
git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@455 7e9141cc-0065-0410-87d8-b60c137991c4
-rw-r--r-- | VERSION.txt | 1 | ||||
-rw-r--r-- | jetty-server/src/main/java/org/eclipse/jetty/server/handler/ErrorHandler.java | 28 |
2 files changed, 14 insertions, 15 deletions
diff --git a/VERSION.txt b/VERSION.txt index c585a5931a..5d5e64205c 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -8,6 +8,7 @@ jetty-7.0.0.M4-SNAPSHOT + JETTY-1049 Improved transparent proxy usability + JETTY-1054 Avoid double deploys + JETTY-1055 Cookie quoting + + JETTY-1057 Error page stack trace XSS jetty-7.0.0.M3 20 June 2009 + fixed race with expired async listeners diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ErrorHandler.java b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ErrorHandler.java index 31d4f6272e..83bf4a41d6 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ErrorHandler.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ErrorHandler.java @@ -75,12 +75,6 @@ public class ErrorHandler extends AbstractHandler { if (message == null) message=HttpStatus.getCode(code).getMessage(); - else - { - message= StringUtil.replace(message, "&", "&"); - message= StringUtil.replace(message, "<", "<"); - message= StringUtil.replace(message, ">", ">"); - } writer.write("<html>\n<head>\n"); writeErrorPageHead(request,writer,code,message); @@ -98,7 +92,7 @@ public class ErrorHandler extends AbstractHandler writer.write(Integer.toString(code)); writer.write(' '); if (message!=null) - writer.write(message); + writer.write(deScript(message)); writer.write("</title>\n"); } @@ -107,12 +101,6 @@ public class ErrorHandler extends AbstractHandler throws IOException { String uri= request.getRequestURI(); - if (uri!=null) - { - uri= StringUtil.replace(uri, "&", "&"); - uri= StringUtil.replace(uri, "<", "<"); - uri= StringUtil.replace(uri, ">", ">"); - } writeErrorPageMessage(request,writer,code,message,uri); if (showStacks) @@ -131,7 +119,7 @@ public class ErrorHandler extends AbstractHandler writer.write("</h2>\n<p>Problem accessing "); writer.write(uri); writer.write(". Reason:\n<pre> "); - writer.write(message); + writer.write(deScript(message)); writer.write("</pre></p>"); } @@ -147,7 +135,7 @@ public class ErrorHandler extends AbstractHandler PrintWriter pw = new PrintWriter(sw); th.printStackTrace(pw); pw.flush(); - writer.write(sw.getBuffer().toString()); + writer.write(deScript(sw.getBuffer().toString())); writer.write("</pre>\n"); th =th.getCause(); @@ -173,4 +161,14 @@ public class ErrorHandler extends AbstractHandler _showStacks = showStacks; } + /* ------------------------------------------------------------ */ + protected String deScript(String string) + { + if (string==null) + return null; + string=StringUtil.replace(string, "&", "&"); + string=StringUtil.replace(string, "<", "<"); + string=StringUtil.replace(string, ">", ">"); + return string; + } } |