ASF Bugzilla – Attachment 25623 Details for
Bug 49478
Add encoding parameter to AddDefaultCharSetFilter
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
add encoding parameter to AddDefaultCharsetFilter
parameterize_AddDefaultCharsetFilter.patch (text/plain), 6.90 KB, created by
Felix Schumacher
on 2010-06-21 05:45:21 UTC
(
hide
)
Description:
add encoding parameter to AddDefaultCharsetFilter
Filename:
MIME Type:
Creator:
Felix Schumacher
Created:
2010-06-21 05:45:21 UTC
Size:
6.90 KB
patch
obsolete
>diff --git a/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java b/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java >index f1ae36d..af29c1e 100644 >--- a/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java >+++ b/java/org/apache/catalina/filters/AddDefaultCharsetFilter.java >@@ -17,8 +17,8 @@ > > package org.apache.catalina.filters; > >- > import java.io.IOException; >+import java.nio.charset.Charset; > > import javax.servlet.Filter; > import javax.servlet.FilterChain; >@@ -29,66 +29,109 @@ import javax.servlet.ServletResponse; > import javax.servlet.http.HttpServletResponse; > import javax.servlet.http.HttpServletResponseWrapper; > >- > /** > * Filter that explicitly sets the default character set for media subtypes of >- * the "text" type to ISO-8859-1. RFC2616 explicitly states that browsers must >- * use ISO-8859-1 in these circumstances. However, browsers may attempt to >- * auto-detect the character set. This may be exploited by an attacker to >- * perform an XSS attack. Internet Explorer has this behaviour by default. Other >- * browsers have an option to enable it. >+ * the "text" type to ISO-8859-1, or another user defined character set. RFC2616 >+ * explicitly states that browsers must use that character set in these >+ * circumstances. However, browsers may attempt to auto-detect the character >+ * set. This may be exploited by an attacker to perform an XSS attack. Internet >+ * Explorer has this behaviour by default. Other browsers have an option to >+ * enable it.<br> > * > * This filter prevents the attack by explicitly setting a character set. Unless > * the provided character set is explicitly overridden by the user - in which > * case they deserve everything they get - the browser will adhere to an >- * explicitly set character set, thus preventing the XSS attack. >+ * explicitly set character set, thus preventing the XSS attack.<br> >+ * >+ * This filter thas one parameter named "encoding", which can hold the character >+ * set to be used. The parameter can also be set to one of two special values. >+ * >+ * <dl> >+ * <dt>default</dt> >+ * <dd>If the value of this parameter is <code>null</code>, empty or "default", >+ * the used character set will be "ISO-8559-1".</dd> >+ * <dt>system</dt> >+ * <dd>A value of "system" will set the jvm wide default character set, which is >+ * usually set by the system Locale.</dd> >+ * </dl> > */ > public class AddDefaultCharsetFilter implements Filter { > >- public void destroy() { >- // NOOP >- } >- >- public void doFilter(ServletRequest request, ServletResponse response, >- FilterChain chain) throws IOException, ServletException { >- >- // Wrap the response >- if (response instanceof HttpServletResponse) { >- ResponseWrapper wrapped = >- new ResponseWrapper((HttpServletResponse)response); >- chain.doFilter(request, wrapped); >- } else { >- chain.doFilter(request, response); >- } >- } >- >- public void init(FilterConfig filterConfig) throws ServletException { >- // NOOP >- } >- >- /** >- * Wrapper that adds the default character set for text media types if no >- * character set is specified. >- */ >- public class ResponseWrapper extends HttpServletResponseWrapper { >- >- @Override >- public void setContentType(String ct) { >- >- if (ct != null && ct.startsWith("text/") && >- ct.indexOf("charset=") < 0) { >- // Use getCharacterEncoding() in case the charset has already >- // been set by a separate call. >- super.setContentType(ct + ";charset=" + getCharacterEncoding()); >- } else { >- super.setContentType(ct); >- } >- >- } >- >- public ResponseWrapper(HttpServletResponse response) { >- super(response); >- } >- >- } >+ private transient String encoding; >+ >+ @Override >+ public void destroy() { >+ // NOOP >+ } >+ >+ @Override >+ public void doFilter(ServletRequest request, ServletResponse response, >+ FilterChain chain) throws IOException, ServletException { >+ >+ // Wrap the response >+ if (response instanceof HttpServletResponse) { >+ ResponseWrapper wrapped = new ResponseWrapper( >+ (HttpServletResponse) response, encoding); >+ chain.doFilter(request, wrapped); >+ } else { >+ chain.doFilter(request, response); >+ } >+ } >+ >+ @Override >+ public void init(FilterConfig filterConfig) throws ServletException { >+ String encoding = filterConfig.getInitParameter("encoding"); >+ if (encoding == null || "".equals(encoding) >+ || "default".equalsIgnoreCase(encoding)) { >+ this.encoding = "ISO-8859-1"; >+ } else if ("system".equalsIgnoreCase(encoding)) { >+ this.encoding = Charset.defaultCharset().name(); >+ } else { >+ if (Charset.isSupported(encoding)) { >+ this.encoding = encoding; >+ } else { >+ throw new IllegalArgumentException("Charset " + encoding >+ + " seems not to be supported"); >+ } >+ } >+ } >+ >+ /** >+ * Wrapper that adds the default character set for text media types if no >+ * character set is specified. >+ */ >+ public static class ResponseWrapper extends HttpServletResponseWrapper { >+ >+ private String currentEncoding; >+ >+ @Override >+ public void setCharacterEncoding(String charset) { >+ super.setCharacterEncoding(charset); >+ this.currentEncoding = charset; >+ } >+ >+ @Override >+ public void setContentType(String ct) { >+ >+ if (ct != null && ct.startsWith("text/") >+ && ct.indexOf("charset=") < 0) { >+ // set charater set, if it is a text-type content-type and >+ // character set is not set within content-type >+ super.setCharacterEncoding(this.currentEncoding); >+ } >+ super.setContentType(ct); >+ >+ } >+ >+ public ResponseWrapper(HttpServletResponse response, >+ String defaultEncoding) { >+ super(response); >+ if (defaultEncoding == null) { >+ this.currentEncoding = response.getCharacterEncoding(); >+ } else { >+ this.currentEncoding = defaultEncoding; >+ } >+ } >+ >+ } > } >diff --git a/webapps/docs/config/filter.xml b/webapps/docs/config/filter.xml >index ac09c49..f0f33ed 100644 >--- a/webapps/docs/config/filter.xml >+++ b/webapps/docs/config/filter.xml >@@ -79,8 +79,20 @@ > > <subsection name="Initialisation parameters"> > >- <p>The Add Default Character Set Filter does not support any initialization >- parameters.</p> >+ <p>The Add Default Character Set Filter supports the following initialization >+ parameters:</p> >+ >+ <attributes> >+ >+ <attribute name="encoding" required="false"> >+ <p>Name of the character set which should be set, if no other character set >+ was set explicitly by a servlet. This parameter has two special values >+ <code>default</code> and <code>system</code>. A value of <code>system</code> >+ uses the jvm wide default character set, which is usually set by locale. >+ A value of <code>default</code> will use <strong>ISO-8859-1</strong>.</p> >+ </attribute> >+ >+ </attributes> > > </subsection> >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 49478
: 25623