Changeset b013173 for apps/jetty


Ignore:
Timestamp:
Feb 6, 2018 9:52:02 PM (2 years ago)
Author:
zzz <zzz@…>
Branches:
master
Children:
65484510
Parents:
172f0c9d
Message:

Util: Allow backslash in XSS filter on Windows

File:
1 edited

Legend:

Unmodified
Added
Removed
  • apps/jetty/java/src/net/i2p/servlet/filters/XSSRequestWrapper.java

    r172f0c9d rb013173  
    1414import net.i2p.I2PAppContext;
    1515import net.i2p.util.Log;
     16import net.i2p.util.SystemVersion;
    1617
    1718/**
     
    2021public class XSSRequestWrapper extends HttpServletRequestWrapper {
    2122    // Adapted from https://owasp-esapi-java.googlecode.com/svn/trunk/configuration/esapi/ESAPI.properties
    22     private static final Pattern parameterValuePattern = Pattern.compile("^[\\p{L}\\p{Nd}.,:\\-\\/+=~\\[\\]?@_ \r\n]*$");
     23    private static final String NON_WIN_PATTERN = "^[\\p{L}\\p{Nd}.,:\\-\\/+=~\\[\\]?@_ \r\n]*$";
     24    // Same as above but with backslash for file paths
     25    private static final String WIN_PATTERN     = "^[\\p{L}\\p{Nd}.,:\\-\\/+=~\\[\\]?@_ \r\n\\\\]*$";
     26    private static final Pattern parameterValuePattern = Pattern.compile(SystemVersion.isWindows() ? WIN_PATTERN : NON_WIN_PATTERN);
    2327    private static final Pattern headerValuePattern = Pattern.compile("^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$");
    2428    private static final String NOFILTER = "nofilter_";
Note: See TracChangeset for help on using the changeset viewer.