antville/helma
antville/helma
1
1
Fork 0
Code Issues 5 Pull requests 7 Projects Releases 5 Activity Actions

Changed order of reading request properties. Previously, HTTP parameters

Browse source 
where set after HTTP variables/headers, which caused a security problem
with HTTP variables being overridable by parameters. (bug #77)
This commit is contained in:
hns 2002-04-23 16:07:51 +00:00
parent 8ddc2b2e4f
commit c7071ce55d
2 changed files with 102 additions and 92 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

70
src/helma/servlet/AbstractServletClient.java
View file

@ -87,8 +87,43 @@ public abstract class AbstractServletClient extends HttpServlet {
try { try {
// read and set http parameters
for (Enumeration e = request.getParameterNames(); e.hasMoreElements(); ) {
String nextKey = (String)e.nextElement();
String[] paramValues = request.getParameterValues(nextKey);
if (paramValues != null) {
reqtrans.set (nextKey, paramValues[0]); // set to single string value
if (paramValues.length > 1)
reqtrans.set (nextKey+"_array", paramValues); // set string array
}
}
// check for MIME file uploads
String contentType = request.getContentType();
if (contentType != null && contentType.indexOf("multipart/form-data")==0) {
// File Upload
Uploader up;
try {
if ((up = getUpload (request)) != null) {
Hashtable upload = up.getParts ();
for (Enumeration e = upload.keys(); e.hasMoreElements(); ) {
String nextKey = (String) e.nextElement ();
Object nextPart = upload.get (nextKey);
reqtrans.set (nextKey, nextPart);
}
}
} catch (Exception upx) {
String uploadErr = upx.getMessage ();
if (uploadErr == null || uploadErr.length () == 0)
uploadErr = upx.toString ();
reqtrans.set ("uploadError", uploadErr);
}
}
// read cookies
if (cookies != null) { if (cookies != null) {
for (int i=0; i < cookies.length;i++) try { // get Cookies for (int i=0; i < cookies.length;i++) try {
// get Cookies
String nextKey = cookies[i].getName (); String nextKey = cookies[i].getName ();
String nextPart = cookies[i].getValue (); String nextPart = cookies[i].getValue ();
if ("HopSession".equals (nextKey)) if ("HopSession".equals (nextKey))
@ -109,6 +144,7 @@ public abstract class AbstractServletClient extends HttpServlet {
response.addCookie(c); response.addCookie(c);
} }
// do standard HTTP variables
String host = request.getHeader ("Host"); String host = request.getHeader ("Host");
if (host != null) { if (host != null) {
host = host.toLowerCase(); host = host.toLowerCase();
@ -131,38 +167,6 @@ public abstract class AbstractServletClient extends HttpServlet {
if ( authorization != null ) if ( authorization != null )
reqtrans.set ("authorization", authorization ); reqtrans.set ("authorization", authorization );
for (Enumeration e = request.getParameterNames(); e.hasMoreElements(); ) {
// Params parsen
String nextKey = (String)e.nextElement();
String[] paramValues = request.getParameterValues(nextKey);
if (paramValues != null) {
reqtrans.set (nextKey, paramValues[0]); // set to single string value
if (paramValues.length > 1)
reqtrans.set (nextKey+"_array", paramValues); // set string array
}
}
String contentType = request.getContentType();
if (contentType != null && contentType.indexOf("multipart/form-data")==0) {
// File Upload
Uploader up;
try {
if ((up = getUpload (request)) != null) {
Hashtable upload = up.getParts ();
for (Enumeration e = upload.keys(); e.hasMoreElements(); ) {
String nextKey = (String) e.nextElement ();
Object nextPart = upload.get (nextKey);
reqtrans.set (nextKey, nextPart);
}
}
} catch (Exception upx) {
String uploadErr = upx.getMessage ();
if (uploadErr == null || uploadErr.length () == 0)
uploadErr = upx.toString ();
reqtrans.set ("uploadError", uploadErr);
}
}
// get RMI ref to application and execute request // get RMI ref to application and execute request
IRemoteApp app = getApp (appID); IRemoteApp app = getApp (appID);
ResponseTrans restrans = null; ResponseTrans restrans = null;

72
src/helma/servlet/AcmeServletClient.java
View file

@ -56,16 +56,53 @@ public class AcmeServletClient extends HttpServlet {
try { try {
RequestTrans reqtrans = new RequestTrans (method); RequestTrans reqtrans = new RequestTrans (method);
// read and set http parameters
for (Enumeration e = request.getParameterNames(); e.hasMoreElements(); ) {
// Params parsen
String nextKey = (String)e.nextElement();
String[] paramValues = request.getParameterValues(nextKey);
if (paramValues != null) {
reqtrans.set (nextKey, paramValues[0]); // set to single string value
if (paramValues.length > 1)
reqtrans.set (nextKey+"_array", paramValues); // set string array
}
}
// check for MIME file uploads
String contentType = request.getContentType();
if (contentType != null && contentType.indexOf("multipart/form-data")==0) {
// File Upload
Uploader up;
try {
if ((up = getUpload (uploadLimit, request)) != null) {
Hashtable upload = up.getParts ();
for (Enumeration e = upload.keys(); e.hasMoreElements(); ) {
String nextKey = (String) e.nextElement ();
Object nextPart = upload.get (nextKey);
reqtrans.set (nextKey, nextPart);
}
}
} catch (Exception upx) {
String uploadErr = upx.getMessage ();
if (uploadErr == null || uploadErr.length () == 0)
uploadErr = upx.toString ();
reqtrans.set ("uploadError", uploadErr);
}
}
// HACK - sessions not fully supported in Acme.Serve // HACK - sessions not fully supported in Acme.Serve
// Thats ok, we dont need the session object, just the id. // Thats ok, we dont need the session object, just the id.
reqtrans.session = request.getRequestedSessionId(); reqtrans.session = request.getRequestedSessionId();
// get Cookies
if (cookies != null) { if (cookies != null) {
for (int i=0; i < cookies.length;i++) try { // get Cookies for (int i=0; i < cookies.length;i++) try {
String nextKey = cookies[i].getName (); String nextKey = cookies[i].getName ();
String nextPart = cookies[i].getValue (); String nextPart = cookies[i].getValue ();
reqtrans.set (nextKey, nextPart); reqtrans.set (nextKey, nextPart);
} catch (Exception badCookie) {} } catch (Exception badCookie) {}
} }
// get optional path info // get optional path info
String pathInfo = request.getServletPath (); String pathInfo = request.getServletPath ();
if (pathInfo != null) { if (pathInfo != null) {
@ -75,6 +112,7 @@ public class AcmeServletClient extends HttpServlet {
} else } else
reqtrans.path = ""; reqtrans.path = "";
// do standard HTTP variables
String host = request.getHeader ("Host"); String host = request.getHeader ("Host");
if (host != null) { if (host != null) {
host = host.toLowerCase(); host = host.toLowerCase();
@ -97,38 +135,6 @@ public class AcmeServletClient extends HttpServlet {
if ( authorization != null ) if ( authorization != null )
reqtrans.set ("authorization", authorization ); reqtrans.set ("authorization", authorization );
for (Enumeration e = request.getParameterNames(); e.hasMoreElements(); ) {
// Params parsen
String nextKey = (String)e.nextElement();
String[] paramValues = request.getParameterValues(nextKey);
if (paramValues != null) {
reqtrans.set (nextKey, paramValues[0]); // set to single string value
if (paramValues.length > 1)
reqtrans.set (nextKey+"_array", paramValues); // set string array
}
}
String contentType = request.getContentType();
if (contentType != null && contentType.indexOf("multipart/form-data")==0) {
// File Upload
Uploader up;
try {
if ((up = getUpload (uploadLimit, request)) != null) {
Hashtable upload = up.getParts ();
for (Enumeration e = upload.keys(); e.hasMoreElements(); ) {
String nextKey = (String) e.nextElement ();
Object nextPart = upload.get (nextKey);
reqtrans.set (nextKey, nextPart);
}
}
} catch (Exception upx) {
String uploadErr = upx.getMessage ();
if (uploadErr == null || uploadErr.length () == 0)
uploadErr = upx.toString ();
reqtrans.set ("uploadError", uploadErr);
}
}
ResponseTrans restrans = null; ResponseTrans restrans = null;
restrans = app.execute (reqtrans); restrans = app.execute (reqtrans);
writeResponse (response, restrans, cookies, protocol); writeResponse (response, restrans, cookies, protocol);