From b5d16898e5af5a1590abf01c8887fbf5241eda58 Mon Sep 17 00:00:00 2001
From: Greg Wilkins
Date: Thu, 15 Oct 2009 19:04:48 +0000
Subject: [PATCH] JETTY-1129 Filter control characters out of StdErrLog
git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@991 7e9141cc-0065-0410-87d8-b60c137991c4
---
VERSION.txt | 31 ++++
.../org/eclipse/jetty/http/HttpParser.java | 10 +-
.../jetty/server/handler/ErrorHandler.java | 42 +++--
.../org/eclipse/jetty/util/log/StdErrLog.java | 154 +++++++++++++++---
4 files changed, 203 insertions(+), 34 deletions(-)
diff --git a/VERSION.txt b/VERSION.txt
index 2fa339520c3..bde538a8a7a 100644
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -13,6 +13,7 @@ jetty-7.0.1-SNAPSHOT
+ JETTY-937 More JVM bug work arounds. Insert pause if all else fails
+ JETTY-1114 unsynchronised WebAppClassloader.getResource(String)
+ JETTY-1122 Handle multi-byte utf that causes buffer overflow
+ + JETTY-1129 Filter control characters out of StdErrLog
+ Fixed XSS issue in CookieDump demo servlet.
+ 291019 Fix default DEBUG option; "-D.DEBUG=true" now works
+ 291340 Race condition in onException() notifications
@@ -22,6 +23,36 @@ jetty-7.0.1-SNAPSHOT
jetty-7.0.0.v20091005 5 October 2009
291340 Race condition in onException() notifications
+jetty-6.1.21 22 September 2009
+ + JETTY-719 Document state machine of jetty http client
+ + JETTY-933 State == HEADER in client
+ + JETTY-936 Improved servlet matching and optimized
+ + JETTY-1038 ChannelId.isParentOf returns the wrong result
+ + JETTY-1061 Catch exceptions from cometd listeners
+ + JETTY-1072 maven plugin handles context path not as documented
+ + JETTY-1080 modified previous fix for windows
+ + JETTY-1084 HEAD command not setting content-type in response under certain circumstances
+ + JETTY-1090 resolve inifinte loop condition for webdav listener
+ + JETTY-1092 MultiPartFilter can be pushed into infinite loop
+ + JETTY-1093 Request.toString throws exception when size exceeds 4k
+ + JETTY-1098 Default form encoding is UTF8
+ + JETTY-1099 Improve cookie handling in BayeuxClient
+ + JETTY-1100 extend setuid feature to allow setting max open file descriptors
+ + JETTY-1102 Wrong usage of deliver() in private chat messages
+ + JETTY-1108 SSL EOF detection
+ + JETTY-1109 Improper handling of cookies in Terracotta tests
+ + JETTY-1112 Response fails if header exceeds buffer size
+ + JETTY-1113 IllegalStateException when adding servlet filters programmatically
+ + JETTY-1114 Unsynchronize webapp classloader getResource
+ + 282543 HttpClient SSL buffer size fix
+ + 288055 fix jetty-client for failed listener state machine
+ + 288153 reset exchange when resending
+ + 288182 PUT request fails during retry
+ + Fix DefaultServletTest for windows
+ + Update Jetty implementation of com.sun.net.httpserver.*
+ + Include tmp directory sweeper in build
+ + Streamline jetty-jboss build, update sar to QueuedThreadPool
+
jetty-7.0.0.RC6 September 21 2009
+ Fixed XSS issue in CookieDump demo servlet.
+ 289958 StatisticsServlet incorrectly adds StatisticsHandler
diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java b/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
index 938b930fc66..79113abd8cc 100644
--- a/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
+++ b/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
@@ -456,7 +456,15 @@ public class HttpParser implements Parser
case HttpHeaders.CONTENT_LENGTH_ORDINAL:
if (_contentLength != HttpTokens.CHUNKED_CONTENT)
{
- _contentLength=BufferUtil.toLong(value);
+ try
+ {
+ _contentLength=BufferUtil.toLong(value);
+ }
+ catch(NumberFormatException e)
+ {
+ Log.ignore(e);
+ throw new HttpException(HttpStatus.BAD_REQUEST_400);
+ }
if (_contentLength <= 0)
_contentLength=HttpTokens.NO_CONTENT;
}
diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ErrorHandler.java b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ErrorHandler.java
index 2a815bc627c..d22382e2e65 100644
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ErrorHandler.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ErrorHandler.java
@@ -92,8 +92,7 @@ public class ErrorHandler extends AbstractHandler
writer.write("Error ");
writer.write(Integer.toString(code));
writer.write(' ');
- if (message!=null)
- writer.write(deScript(message));
+ write(writer,message);
writer.write("\n");
}
@@ -118,9 +117,9 @@ public class ErrorHandler extends AbstractHandler
writer.write("HTTP ERROR ");
writer.write(Integer.toString(code));
writer.write("
\nProblem accessing ");
- writer.write(deScript(uri));
+ write(writer,uri);
writer.write(". Reason:\n
");
- writer.write(deScript(message));
+ write(writer,message);
writer.write("
");
}
@@ -136,7 +135,7 @@ public class ErrorHandler extends AbstractHandler
PrintWriter pw = new PrintWriter(sw);
th.printStackTrace(pw);
pw.flush();
- writer.write(deScript(sw.getBuffer().toString()));
+ write(writer,sw.getBuffer().toString());
writer.write("\n");
th =th.getCause();
@@ -163,13 +162,34 @@ public class ErrorHandler extends AbstractHandler
}
/* ------------------------------------------------------------ */
- protected String deScript(String string)
+ protected void write(Writer writer,String string)
+ throws IOException
{
if (string==null)
- return null;
- string=StringUtil.replace(string, "&", "&");
- string=StringUtil.replace(string, "<", "<");
- string=StringUtil.replace(string, ">", ">");
- return string;
+ return;
+
+ for (int i=0;i' :
+ writer.write(">");
+ break;
+
+ default:
+ if (Character.isISOControl(c) && !Character.isWhitespace(c))
+ writer.write('?');
+ else
+ writer.write(c);
+ }
+ }
}
}
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/log/StdErrLog.java b/jetty-util/src/main/java/org/eclipse/jetty/util/log/StdErrLog.java
index d32b67bff01..a3d81b1f4ed 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/log/StdErrLog.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/log/StdErrLog.java
@@ -37,6 +37,7 @@ public class StdErrLog implements Logger
private boolean _debug = __debug;
private final String _name;
private boolean _hideStacks=false;
+ StringBuilder _buffer = new StringBuilder();
static
{
@@ -99,14 +100,24 @@ public class StdErrLog implements Logger
{
String d=_dateCache.now();
int ms=_dateCache.lastMs();
- System.err.println(d+(ms>99?".":(ms>0?".0":".00"))+ms+":INFO:"+_name+":"+msg);
+ synchronized(_buffer)
+ {
+ tag(d,ms,":INFO:");
+ format(msg);
+ System.err.println(_buffer.toString());
+ }
}
public void info(String msg,Object arg0, Object arg1)
{
String d=_dateCache.now();
int ms=_dateCache.lastMs();
- System.err.println(d+(ms>99?".":(ms>0?".0":".00"))+ms+":INFO:"+_name+":"+format(msg,arg0,arg1));
+ synchronized(_buffer)
+ {
+ tag(d,ms,":INFO:");
+ format(msg,arg0,arg1);
+ System.err.println(_buffer.toString());
+ }
}
public void debug(String msg,Throwable th)
@@ -115,13 +126,15 @@ public class StdErrLog implements Logger
{
String d=_dateCache.now();
int ms=_dateCache.lastMs();
- System.err.println(d+(ms>99?".":(ms>0?".0":".00"))+ms+":DBUG:"+_name+":"+msg);
- if (th!=null)
+ synchronized(_buffer)
{
+ tag(d,ms,":DBUG:");
+ format(msg);
if (_hideStacks)
- System.err.println(th);
+ format(th.toString());
else
- th.printStackTrace();
+ format(th);
+ System.err.println(_buffer.toString());
}
}
}
@@ -132,7 +145,12 @@ public class StdErrLog implements Logger
{
String d=_dateCache.now();
int ms=_dateCache.lastMs();
- System.err.println(d+(ms>99?".":(ms>0?".0":".00"))+ms+":DBUG:"+_name+":"+msg);
+ synchronized(_buffer)
+ {
+ tag(d,ms,":DBUG:");
+ format(msg);
+ System.err.println(_buffer.toString());
+ }
}
}
@@ -142,7 +160,12 @@ public class StdErrLog implements Logger
{
String d=_dateCache.now();
int ms=_dateCache.lastMs();
- System.err.println(d+(ms>99?".":(ms>0?".0":".00"))+ms+":DBUG:"+_name+":"+format(msg,arg0,arg1));
+ synchronized(_buffer)
+ {
+ tag(d,ms,":DBUG:");
+ format(msg,arg0,arg1);
+ System.err.println(_buffer.toString());
+ }
}
}
@@ -150,40 +173,127 @@ public class StdErrLog implements Logger
{
String d=_dateCache.now();
int ms=_dateCache.lastMs();
- System.err.println(d+(ms>99?".":(ms>0?".0":".00"))+ms+":WARN:"+_name+":"+msg);
+ synchronized(_buffer)
+ {
+ tag(d,ms,":WARN:");
+ format(msg);
+ System.err.println(_buffer.toString());
+ }
}
public void warn(String msg,Object arg0, Object arg1)
{
String d=_dateCache.now();
int ms=_dateCache.lastMs();
- System.err.println(d+(ms>99?".":(ms>0?".0":".00"))+ms+":WARN:"+_name+":"+format(msg,arg0,arg1));
+ synchronized(_buffer)
+ {
+ tag(d,ms,":WARN:");
+ format(msg,arg0,arg1);
+ System.err.println(_buffer.toString());
+ }
}
public void warn(String msg, Throwable th)
{
String d=_dateCache.now();
- int ms=_dateCache.lastMs();
- System.err.println(d+(ms>99?".":(ms>0?".0":".00"))+ms+":WARN:"+_name+":"+msg);
- if (th!=null)
+ int ms=_dateCache.lastMs();
+ synchronized(_buffer)
{
+ tag(d,ms,":WARN:");
+ format(msg);
if (_hideStacks)
- System.err.println(th);
+ format(th.toString());
else
- th.printStackTrace();
- }
+ format(th);
+ System.err.println(_buffer.toString());
+ }
}
- private String format(String msg, Object arg0, Object arg1)
+
+ private void tag(String d,int ms,String tag)
+ {
+ _buffer.setLength(0);
+ _buffer.append(d);
+ if (ms>99)
+ _buffer.append('.');
+ else if (ms>9)
+ _buffer.append(".0");
+ else
+ _buffer.append(".00");
+ _buffer.append(ms).append(tag).append(_name).append(':');
+ }
+
+ private void format(String msg, Object arg0, Object arg1)
{
int i0=msg.indexOf("{}");
int i1=i0<0?-1:msg.indexOf("{}",i0+2);
- if (arg1!=null && i1>=0)
- msg=msg.substring(0,i1)+arg1+msg.substring(i1+2);
- if (arg0!=null && i0>=0)
- msg=msg.substring(0,i0)+arg0+msg.substring(i0+2);
- return msg;
+ if (i0>=0)
+ {
+ format(msg.substring(0,i0));
+ format(String.valueOf(arg0));
+
+ if (i1>=0)
+ {
+ format(msg.substring(i0+2,i1));
+ format(String.valueOf(arg1));
+ format(msg.substring(i1+2));
+ }
+ else
+ {
+ format(msg.substring(i1+2));
+ if (arg1!=null)
+ {
+ _buffer.append(' ');
+ format(String.valueOf(arg1));
+ }
+ }
+ }
+ else
+ {
+ format(msg);
+ if (arg0!=null)
+ {
+ _buffer.append(' ');
+ format(String.valueOf(arg0));
+ }
+ if (arg1!=null)
+ {
+ _buffer.append(' ');
+ format(String.valueOf(arg1));
+ }
+ }
+ }
+
+ private void format(String msg)
+ {
+ for (int i=0;i