JETTY-1057

git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@455 7e9141cc-0065-0410-87d8-b60c137991c4
This commit is contained in:
Greg Wilkins 2009-07-01 00:48:11 +00:00
parent a8574969b9
commit 73d67b0287
2 changed files with 14 additions and 15 deletions

View File

@ -8,6 +8,7 @@ jetty-7.0.0.M4-SNAPSHOT
+ JETTY-1049 Improved transparent proxy usability
+ JETTY-1054 Avoid double deploys
+ JETTY-1055 Cookie quoting
+ JETTY-1057 Error page stack trace XSS
jetty-7.0.0.M3 20 June 2009
+ fixed race with expired async listeners

View File

@ -75,12 +75,6 @@ public class ErrorHandler extends AbstractHandler
{
if (message == null)
message=HttpStatus.getCode(code).getMessage();
else
{
message= StringUtil.replace(message, "&", "&");
message= StringUtil.replace(message, "<", "&lt;");
message= StringUtil.replace(message, ">", "&gt;");
}
writer.write("<html>\n<head>\n");
writeErrorPageHead(request,writer,code,message);
@ -98,7 +92,7 @@ public class ErrorHandler extends AbstractHandler
writer.write(Integer.toString(code));
writer.write(' ');
if (message!=null)
writer.write(message);
writer.write(deScript(message));
writer.write("</title>\n");
}
@ -107,12 +101,6 @@ public class ErrorHandler extends AbstractHandler
throws IOException
{
String uri= request.getRequestURI();
if (uri!=null)
{
uri= StringUtil.replace(uri, "&", "&amp;");
uri= StringUtil.replace(uri, "<", "&lt;");
uri= StringUtil.replace(uri, ">", "&gt;");
}
writeErrorPageMessage(request,writer,code,message,uri);
if (showStacks)
@ -131,7 +119,7 @@ public class ErrorHandler extends AbstractHandler
writer.write("</h2>\n<p>Problem accessing ");
writer.write(uri);
writer.write(". Reason:\n<pre> ");
writer.write(message);
writer.write(deScript(message));
writer.write("</pre></p>");
}
@ -147,7 +135,7 @@ public class ErrorHandler extends AbstractHandler
PrintWriter pw = new PrintWriter(sw);
th.printStackTrace(pw);
pw.flush();
writer.write(sw.getBuffer().toString());
writer.write(deScript(sw.getBuffer().toString()));
writer.write("</pre>\n");
th =th.getCause();
@ -173,4 +161,14 @@ public class ErrorHandler extends AbstractHandler
_showStacks = showStacks;
}
/* ------------------------------------------------------------ */
protected String deScript(String string)
{
if (string==null)
return null;
string=StringUtil.replace(string, "&", "&amp;");
string=StringUtil.replace(string, "<", "&lt;");
string=StringUtil.replace(string, ">", "&gt;");
return string;
}
}