View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one or more
3    * contributor license agreements.  See the NOTICE file distributed with
4    * this work for additional information regarding copyright ownership.
5    * The ASF licenses this file to You under the Apache License, Version 2.0
6    * (the "License"); you may not use this file except in compliance with
7    * the License.  You may obtain a copy of the License at
8    *
9    * http://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" 
13   * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
14   * See the License for the specific language governing permissions and 
15   * limitations under the License.
16   */
17  package org.apache.jetspeed.engine.servlet;
18  
19  import java.io.IOException;
20  
21  import javax.servlet.Filter;
22  import javax.servlet.FilterChain;
23  import javax.servlet.FilterConfig;
24  import javax.servlet.ServletException;
25  import javax.servlet.ServletRequest;
26  import javax.servlet.ServletResponse;
27  import javax.servlet.http.HttpServletRequest;
28  import javax.servlet.http.HttpServletResponse;
29  
30  /***
31   * Simple XXS Url attack protection blocking access whenever the request url contains a < or > character.
32   * @version $Id: XXSUrlAttackFilter.java 516448 2007-03-09 16:25:47Z ate $
33   * 
34   */
35  public class XXSUrlAttackFilter implements Filter
36  {
37      public void init(FilterConfig config) throws ServletException
38      {
39      }
40  
41      public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
42              ServletException
43      {
44          if (request instanceof HttpServletRequest)
45          {
46              HttpServletRequest hreq = (HttpServletRequest) request;
47              if (isInvalid(hreq.getQueryString()) || isInvalid(hreq.getRequestURI()))
48              {
49                  ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST);
50              }
51          }
52          chain.doFilter(request, response);
53      }
54  
55      private boolean isInvalid(String value)
56      {
57          return (value != null && (value.indexOf('<') != -1 || value.indexOf('>') != -1 || value.indexOf("%3e") != -1
58                  || value.indexOf("%3c") != -1 || value.indexOf("%3E") != -1 || value.indexOf("%3E") != -1));
59      }
60  
61      public void destroy()
62      {
63      }
64  }