@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException { HttpServletRequestWrapper quoted = new RequestQuoter((HttpServletRequest) request); HttpServletResponse httpResponse = (HttpServletResponse) response; String mime = inferMimeType(request); if (mime == null) { httpResponse.setContentType("text/plain; charset=utf-8"); } else if (mime.startsWith("text/html")) { // HTML with unspecified encoding, we want to // force HTML with utf-8 encoding // This is to avoid the following security issue: // http://openmya.hacker.jp/hasegawa/security/utf7cs.html httpResponse.setContentType("text/html; charset=utf-8"); } else if (mime.startsWith("application/xml")) { httpResponse.setContentType("text/xml; charset=utf-8"); } headerMap.forEach((k, v) -> httpResponse.addHeader(k, v)); chain.doFilter(quoted, httpResponse); }
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException { HttpServletRequestWrapper quoted = new RequestQuoter((HttpServletRequest) request); HttpServletResponse httpResponse = (HttpServletResponse) response; String mime = inferMimeType(request); if (mime == null) { httpResponse.setContentType("text/plain; charset=utf-8"); } else if (mime.startsWith("text/html")) { // HTML with unspecified encoding, we want to // force HTML with utf-8 encoding // This is to avoid the following security issue: // http://openmya.hacker.jp/hasegawa/security/utf7cs.html httpResponse.setContentType("text/html; charset=utf-8"); } else if (mime.startsWith("application/xml")) { httpResponse.setContentType("text/xml; charset=utf-8"); } chain.doFilter(quoted, httpResponse); }
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException { HttpServletRequestWrapper quoted = new RequestQuoter((HttpServletRequest) request); HttpServletResponse httpResponse = (HttpServletResponse) response; String mime = inferMimeType(request); if (mime == null) { httpResponse.setContentType("text/plain; charset=utf-8"); } else if (mime.startsWith("text/html")) { // HTML with unspecified encoding, we want to // force HTML with utf-8 encoding // This is to avoid the following security issue: // http://openmya.hacker.jp/hasegawa/security/utf7cs.html httpResponse.setContentType("text/html; charset=utf-8"); } else if (mime.startsWith("application/xml")) { httpResponse.setContentType("text/xml; charset=utf-8"); } chain.doFilter(quoted, httpResponse); }
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException { HttpServletRequestWrapper quoted = new RequestQuoter((HttpServletRequest) request); HttpServletResponse httpResponse = (HttpServletResponse) response; String mime = inferMimeType(request); if (mime == null) { httpResponse.setContentType("text/plain; charset=utf-8"); } else if (mime.startsWith("text/html")) { // HTML with unspecified encoding, we want to // force HTML with utf-8 encoding // This is to avoid the following security issue: // http://openmya.hacker.jp/hasegawa/security/utf7cs.html httpResponse.setContentType("text/html; charset=utf-8"); } else if (mime.startsWith("application/xml")) { httpResponse.setContentType("text/xml; charset=utf-8"); } chain.doFilter(quoted, httpResponse); }
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException { HttpServletRequestWrapper quoted = new RequestQuoter((HttpServletRequest) request); HttpServletResponse httpResponse = (HttpServletResponse) response; String mime = inferMimeType(request); if (mime == null) { httpResponse.setContentType("text/plain; charset=utf-8"); } else if (mime.startsWith("text/html")) { // HTML with unspecified encoding, we want to // force HTML with utf-8 encoding // This is to avoid the following security issue: // http://openmya.hacker.jp/hasegawa/security/utf7cs.html httpResponse.setContentType("text/html; charset=utf-8"); } else if (mime.startsWith("application/xml")) { httpResponse.setContentType("text/xml; charset=utf-8"); } if(Boolean.valueOf(this.config.getInitParameter(X_FRAME_ENABLED))) { httpResponse.addHeader("X-FRAME-OPTIONS", this.config.getInitParameter(X_FRAME_VALUE)); } chain.doFilter(quoted, httpResponse); }
@Test public void testRequestQuoting() throws Exception { HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); HttpServer2.QuotingInputFilter.RequestQuoter quoter = new HttpServer2.QuotingInputFilter.RequestQuoter(mockReq); Mockito.doReturn("a<b").when(mockReq).getParameter("x"); assertEquals("Test simple param quoting", "a<b", quoter.getParameter("x")); Mockito.doReturn(null).when(mockReq).getParameter("x"); assertEquals("Test that missing parameters dont cause NPE", null, quoter.getParameter("x")); Mockito.doReturn(new String[]{"a<b", "b"}).when(mockReq).getParameterValues("x"); assertArrayEquals("Test escaping of an array", new String[]{"a<b", "b"}, quoter.getParameterValues("x")); Mockito.doReturn(null).when(mockReq).getParameterValues("x"); assertArrayEquals("Test that missing parameters dont cause NPE for array", null, quoter.getParameterValues("x")); } }
@Test public void testRequestQuoting() throws Exception { HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); HttpServer2.QuotingInputFilter.RequestQuoter quoter = new HttpServer2.QuotingInputFilter.RequestQuoter(mockReq); Mockito.doReturn("a<b").when(mockReq).getParameter("x"); assertEquals("Test simple param quoting", "a<b", quoter.getParameter("x")); Mockito.doReturn(null).when(mockReq).getParameter("x"); assertEquals("Test that missing parameters dont cause NPE", null, quoter.getParameter("x")); Mockito.doReturn(new String[]{"a<b", "b"}).when(mockReq).getParameterValues("x"); assertArrayEquals("Test escaping of an array", new String[]{"a<b", "b"}, quoter.getParameterValues("x")); Mockito.doReturn(null).when(mockReq).getParameterValues("x"); assertArrayEquals("Test that missing parameters dont cause NPE for array", null, quoter.getParameterValues("x")); } }
@Test public void testRequestQuoterWithNotNull() throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class); String[] values = new String[] { "abc", "def" }; Mockito.doReturn(values).when(request).getParameterValues("dummy"); RequestQuoter requestQuoter = new RequestQuoter(request); String[] parameterValues = requestQuoter.getParameterValues("dummy"); Assert.assertTrue("It should return Parameter Values", Arrays.equals( values, parameterValues)); }
@Test public void testRequestQuoterWithNull() throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class); Mockito.doReturn(null).when(request).getParameterValues("dummy"); RequestQuoter requestQuoter = new RequestQuoter(request); String[] parameterValues = requestQuoter.getParameterValues("dummy"); Assert.assertNull( "It should return null " + "when there are no values for the parameter", parameterValues); }
@Test public void testRequestQuoterWithNotNull() throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class); String[] values = new String[] { "abc", "def" }; Mockito.doReturn(values).when(request).getParameterValues("dummy"); RequestQuoter requestQuoter = new RequestQuoter(request); String[] parameterValues = requestQuoter.getParameterValues("dummy"); Assert.assertTrue("It should return Parameter Values", Arrays.equals( values, parameterValues)); }
@Test public void testRequestQuoterWithNull() throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class); Mockito.doReturn(null).when(request).getParameterValues("dummy"); RequestQuoter requestQuoter = new RequestQuoter(request); String[] parameterValues = requestQuoter.getParameterValues("dummy"); Assert.assertNull( "It should return null " + "when there are no values for the parameter", parameterValues); }