%line | %branch | |||||||||
---|---|---|---|---|---|---|---|---|---|---|
org.apache.jetspeed.engine.servlet.XXSUrlAttackFilter |
|
|
1 | /* |
|
2 | * Licensed to the Apache Software Foundation (ASF) under one or more |
|
3 | * contributor license agreements. See the NOTICE file distributed with |
|
4 | * this work for additional information regarding copyright ownership. |
|
5 | * The ASF licenses this file to You under the Apache License, Version 2.0 |
|
6 | * (the "License"); you may not use this file except in compliance with |
|
7 | * the License. You may obtain a copy of the License at |
|
8 | * |
|
9 | * http://www.apache.org/licenses/LICENSE-2.0 |
|
10 | * |
|
11 | * Unless required by applicable law or agreed to in writing, software |
|
12 | * distributed under the License is distributed on an "AS IS" |
|
13 | * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
14 | * See the License for the specific language governing permissions and |
|
15 | * limitations under the License. |
|
16 | */ |
|
17 | package org.apache.jetspeed.engine.servlet; |
|
18 | ||
19 | import java.io.IOException; |
|
20 | ||
21 | import javax.servlet.Filter; |
|
22 | import javax.servlet.FilterChain; |
|
23 | import javax.servlet.FilterConfig; |
|
24 | import javax.servlet.ServletException; |
|
25 | import javax.servlet.ServletRequest; |
|
26 | import javax.servlet.ServletResponse; |
|
27 | import javax.servlet.http.HttpServletRequest; |
|
28 | import javax.servlet.http.HttpServletResponse; |
|
29 | ||
30 | /** |
|
31 | * Simple XXS Url attack protection blocking access whenever the request url contains a < or > character. |
|
32 | * @version $Id: XXSUrlAttackFilter.java 516448 2007-03-09 16:25:47Z ate $ |
|
33 | * |
|
34 | */ |
|
35 | 0 | public class XXSUrlAttackFilter implements Filter |
36 | { |
|
37 | public void init(FilterConfig config) throws ServletException |
|
38 | { |
|
39 | 0 | } |
40 | ||
41 | public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, |
|
42 | ServletException |
|
43 | { |
|
44 | 0 | if (request instanceof HttpServletRequest) |
45 | { |
|
46 | 0 | HttpServletRequest hreq = (HttpServletRequest) request; |
47 | 0 | if (isInvalid(hreq.getQueryString()) || isInvalid(hreq.getRequestURI())) |
48 | { |
|
49 | 0 | ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST); |
50 | } |
|
51 | } |
|
52 | 0 | chain.doFilter(request, response); |
53 | 0 | } |
54 | ||
55 | private boolean isInvalid(String value) |
|
56 | { |
|
57 | 0 | return (value != null && (value.indexOf('<') != -1 || value.indexOf('>') != -1 || value.indexOf("%3e") != -1 |
58 | || value.indexOf("%3c") != -1 || value.indexOf("%3E") != -1 || value.indexOf("%3E") != -1)); |
|
59 | } |
|
60 | ||
61 | public void destroy() |
|
62 | { |
|
63 | 0 | } |
64 | } |
This report is generated by jcoverage, Maven and Maven JCoverage Plugin. |