468747 - XSS vulnerability in HttpSpiContextHandler

author: Greg Wilkins 2015-05-29 10:12:57 +0000
committer: Greg Wilkins 2015-05-29 10:12:57 +0000
commit: 4472b614b94550c167dab5c2e3f3362368d4dba0 (patch)
tree: 4d55d152c2ae33d18569877473a7146dbfd68384 /jetty-util
parent: 0db541889bae3767d2e10c7799451807136766ff (diff)
download: org.eclipse.jetty.project-4472b614b94550c167dab5c2e3f3362368d4dba0.tar.gz
org.eclipse.jetty.project-4472b614b94550c167dab5c2e3f3362368d4dba0.tar.xz
org.eclipse.jetty.project-4472b614b94550c167dab5c2e3f3362368d4dba0.zip
3 files changed, 83 insertions, 3 deletions
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/StringUtil.java b/jetty-util/src/main/java/org/eclipse/jetty/util/StringUtil.java
index 07d85de3ce..e82b8c9387 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/StringUtil.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/StringUtil.java
@@ -733,5 +733,73 @@ public class StringUtil
 
         return s.substring(1,s.length()-1).split(" *, *");
     }
+    
+    public static String sanitizeXmlString(String html)
+    {
+        if (html==null)
+            return null;
+        
+        int i=0;
+        
+        // Are there any characters that need sanitizing?
+        loop: for (;i<html.length();i++)
+        {
+            char c=html.charAt(i);
+
+            switch(c)
+            {
+                case '&' :
+                case '<' :
+                case '>' :
+                case '\'':
+                case '"':
+                    break loop;
+
+                default:
+                    if (Character.isISOControl(c) && !Character.isWhitespace(c))
+                        break loop;
+            }
+        }
+
+        // No characters need sanitizing, so return original string
+        if (i==html.length())
+            return html;
+        
+        // Create builder with OK content so far 
+        StringBuilder out = new StringBuilder(html.length()*4/3);
+        out.append(html,0,i);
+        
+        // sanitize remaining content
+        for (;i<html.length();i++)
+        {
+            char c=html.charAt(i);
+
+            switch(c)
+            {
+                case '&' :
+                    out.append("&amp;");
+                    break;
+                case '<' :
+                    out.append("&lt;");
+                    break;
+                case '>' :
+                    out.append("&gt;");
+                    break;
+                case '\'':
+                    out.append("&apos;");
+                    break;
+                case '"':
+                    out.append("&quot;");
+                    break;
+
+                default:
+                    if (Character.isISOControl(c) && !Character.isWhitespace(c))
+                        out.append('?');
+                    else
+                        out.append(c);
+            }
+        }
+        return out.toString();
+    }
 
 }
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/Resource.java b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/Resource.java
index 6fa97109a6..073072018f 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/Resource.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/Resource.java
@@ -613,7 +613,7 @@ public abstract class Resource implements ResourceFactory, Closeable
     
     private static String deTag(String raw) 
     {
-        return StringUtil.replace( StringUtil.replace(raw,"<","&lt;"), ">", "&gt;");
+        return StringUtil.sanitizeXmlString(raw);
     }
     
     /* ------------------------------------------------------------ */
diff --git a/jetty-util/src/test/java/org/eclipse/jetty/util/StringUtilTest.java b/jetty-util/src/test/java/org/eclipse/jetty/util/StringUtilTest.java
index 1f78960308..8c4b05f8ee 100644
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/StringUtilTest.java
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/StringUtilTest.java
@@ -201,7 +201,8 @@ public class StringUtilTest
     }
 
     @Test
-    public void testIsBlank() {
+    public void testIsBlank() 
+    {
         Assert.assertTrue(StringUtil.isBlank(null));
         Assert.assertTrue(StringUtil.isBlank(""));
         Assert.assertTrue(StringUtil.isBlank("\r\n"));
@@ -216,7 +217,8 @@ public class StringUtilTest
     }
 
     @Test
-    public void testIsNotBlank() {
+    public void testIsNotBlank() 
+    {
         Assert.assertFalse(StringUtil.isNotBlank(null));
         Assert.assertFalse(StringUtil.isNotBlank(""));
         Assert.assertFalse(StringUtil.isNotBlank("\r\n"));
@@ -229,4 +231,14 @@ public class StringUtilTest
         Assert.assertTrue(StringUtil.isNotBlank("."));
         Assert.assertTrue(StringUtil.isNotBlank(";\n"));
     }
+    
+    @Test
+    public void testSanitizeHTML()
+    {
+        assertEquals(null,StringUtil.sanitizeXmlString(null));
+        assertEquals("",StringUtil.sanitizeXmlString(""));
+        assertEquals("&lt;&amp;&gt;",StringUtil.sanitizeXmlString("<&>"));
+        assertEquals("Hello &lt;Cruel&gt; World",StringUtil.sanitizeXmlString("Hello <Cruel> World"));
+        assertEquals("Hello ? World",StringUtil.sanitizeXmlString("Hello \u0000 World"));
+    }
 }
author	Greg Wilkins	2015-05-29 10:12:57 +0000
committer	Greg Wilkins	2015-05-29 10:12:57 +0000
commit	4472b614b94550c167dab5c2e3f3362368d4dba0 (patch)
tree	4d55d152c2ae33d18569877473a7146dbfd68384 /jetty-util
parent	0db541889bae3767d2e10c7799451807136766ff (diff)
download	org.eclipse.jetty.project-4472b614b94550c167dab5c2e3f3362368d4dba0.tar.gz org.eclipse.jetty.project-4472b614b94550c167dab5c2e3f3362368d4dba0.tar.xz org.eclipse.jetty.project-4472b614b94550c167dab5c2e3f3362368d4dba0.zip