1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.apache.jetspeed.engine.servlet;
18
19 import java.io.IOException;
20
21 import javax.servlet.Filter;
22 import javax.servlet.FilterChain;
23 import javax.servlet.FilterConfig;
24 import javax.servlet.ServletException;
25 import javax.servlet.ServletRequest;
26 import javax.servlet.ServletResponse;
27 import javax.servlet.http.HttpServletRequest;
28 import javax.servlet.http.HttpServletResponse;
29
30 /***
31 * Simple XXS Url attack protection blocking access whenever the request url contains a < or > character.
32 * @version $Id: XXSUrlAttackFilter.java 516448 2007-03-09 16:25:47Z ate $
33 *
34 */
35 public class XXSUrlAttackFilter implements Filter
36 {
37 public void init(FilterConfig config) throws ServletException
38 {
39 }
40
41 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
42 ServletException
43 {
44 if (request instanceof HttpServletRequest)
45 {
46 HttpServletRequest hreq = (HttpServletRequest) request;
47 if (isInvalid(hreq.getQueryString()) || isInvalid(hreq.getRequestURI()))
48 {
49 ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST);
50 }
51 }
52 chain.doFilter(request, response);
53 }
54
55 private boolean isInvalid(String value)
56 {
57 return (value != null && (value.indexOf('<') != -1 || value.indexOf('>') != -1 || value.indexOf("%3e") != -1
58 || value.indexOf("%3c") != -1 || value.indexOf("%3E") != -1 || value.indexOf("%3E") != -1));
59 }
60
61 public void destroy()
62 {
63 }
64 }