https://issues.apache.org/activemq/browse/AMQ-2613 - fix XSS security problem in web console

git-svn-id: https://svn.apache.org/repos/asf/activemq/trunk@915269 13f79535-47bb-0310-9956-ffa450edef68

Author: dejanb

activemq-web-console/src/main/webapp/WEB-INF/tags/form/short.tag

@@ -17,6 +17,8 @@
 <%@ attribute name="text" type="java.lang.String" required="true"  %>
 <%@ attribute name="length" type="java.lang.Integer" required="false" %>
 <%
+ text = org.apache.commons.lang.StringEscapeUtils.escapeHtml(text);
+ text = org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(text);
  if (length == null)
     length = 20;
  if (text.length() <= 20) {

activemq-web-console/src/main/webapp/WEB-INF/tags/form/text.tag

@@ -19,10 +19,12 @@
 <%
     String value = request.getParameter(name);
     if (value == null || value.trim().length() == 0) {
-    		value = defaultValue;
-		}
-		if (value == null) {
-			value = "";
-		}
+    	value = defaultValue;
+	}
+	if (value == null) {
+		value = "";
+	}
+	value = org.apache.commons.lang.StringEscapeUtils.escapeHtml(value);
+
 %>
 <input type="text" name="${name}" value="<%= value %>"/>

activemq-web-console/src/main/webapp/browse.jsp

@@ -39,7 +39,7 @@
 <tbody>
 <jms:forEachMessage queueBrowser="${requestContext.queueBrowser.browser}" var="row">
 <tr>
-<td><a href="message.jsp?id=${row.JMSMessageID}&JMSDestination=${requestContext.queueBrowser.JMSDestination}" 
+<td><a href="message.jsp?id=${row.JMSMessageID}&JMSDestination=<c:out value="${requestContext.queueBrowser.JMSDestination}" />" 
     title="${row.properties}">${row.JMSMessageID}</a></td>
 <td>${row.JMSCorrelationID}</td>
 <td><jms:persistent message="${row}"/></td>
@@ -49,15 +49,15 @@
 <td><jms:formatTimestamp timestamp="${row.JMSTimestamp}"/></td>
 <td>${row.JMSType}</td>
 <td>
-    <a href="deleteMessage.action?JMSDestination=${row.JMSDestination}&messageId=${row.JMSMessageID}">Delete</a>
+    <a href="deleteMessage.action?JMSDestination=<c:out value="${row.JMSDestination}"/>&messageId=${row.JMSMessageID}">Delete</a>
 </td>
 </tr>
 </jms:forEachMessage>
 </tbody>
 </table>
 
 <div>
-<a href="queueConsumers.jsp?JMSDestination=${requestContext.queueBrowser.JMSDestination}">View Consumers</a>
+<a href="queueConsumers.jsp?JMSDestination=<c:out value="${requestContext.queueBrowser.JMSDestination}"/>">View Consumers</a>
 </div>
 </body>
 </html>

activemq-web-console/src/main/webapp/message.jsp

@@ -130,24 +130,24 @@ No message could be found for ID ${requestContext.messageQuery.id}
                 </thead>
                 <tbody>
                     <tr>
-                        <td colspan="2"><a href="deleteMessage.action?JMSDestination=${row.JMSDestination}&messageId=${row.JMSMessageID}">Delete</a></td>
+                        <td colspan="2"><a href="deleteMessage.action?JMSDestination=<c:out value="${row.JMSDestination}" />&messageId=${row.JMSMessageID}">Delete</a></td>
                     </tr>
                     <tr class="odd">
-                    <td><a href="javascript:confirmAction('queue', 'copyMessage.action?destination=%target%&JMSDestination=${row.JMSDestination}&messageId=${row.JMSMessageID}&JMSDestinationType=queue')">Copy</a></td>
+                    <td><a href="javascript:confirmAction('queue', 'copyMessage.action?destination=%target%&JMSDestination=<c:out value="${row.JMSDestination}" />&messageId=${row.JMSMessageID}&JMSDestinationType=queue')">Copy</a></td>
                         <td rowspan="2">
                             <select id="queue">
                                 <option value=""> -- Please select --</option>
                                 <c:forEach items="${requestContext.brokerQuery.queues}" var="queues">
                                     <c:if test="${queues.name != requestContext.messageQuery.JMSDestination}">
-                                    <option value="${queues.name}"><form:short text="${queues.name}"/></option>
+                                    <option value="<c:out value="${queues.name}" />"><form:short text="${queues.name}"/></option>
                                     </c:if>
                                 </c:forEach>
                             </select>
                         </td>
 
                     </tr>
                     <tr class="odd">
-                        <td><a href="javascript:confirmAction('queue', 'moveMessage.action?destination=%target%&JMSDestination=${row.JMSDestination}&messageId=${row.JMSMessageID}&JMSDestinationType=queue')">Move</a></td>
+                        <td><a href="javascript:confirmAction('queue', 'moveMessage.action?destination=%target%&JMSDestination=<c:out value="${row.JMSDestination}" />&messageId=${row.JMSMessageID}&JMSDestinationType=queue')">Move</a></td>
                     </tr>
                 </tbody>
             </table>

activemq-web-console/src/main/webapp/queueConsumers.jsp

@@ -16,11 +16,11 @@
 --%>
 <html>
 <head>
-<title>Consumers for ${requestContext.queueConsumerQuery.JMSDestination}</title>
+<title>Consumers for <c:out value="${requestContext.queueConsumerQuery.JMSDestination}" /></title>
 </head>
 <body>
 
-<h2>Active Consumers for ${requestContext.queueConsumerQuery.JMSDestination}</h2>
+<h2>Active Consumers for <c:out value="${requestContext.queueConsumerQuery.JMSDestination}" /></h2>
 
 <table id="messages" class="sortable autostripe">
 <thead>

activemq-web-console/src/main/webapp/queues.jsp

@@ -48,22 +48,23 @@
 </thead>
 <tbody>
 <c:forEach items="${requestContext.brokerQuery.queues}" var="row">
+
 <tr>
-<td><a href="browse.jsp?JMSDestination=${row.name}"><form:tooltip text="${row.name}" length="50"/></a></td>
+<td><a href="browse.jsp?JMSDestination=<c:out value="${row.name}" />"><form:tooltip text="${row.name}" length="50"/></a></td>
 <td>${row.queueSize}</td>
 <td>${row.consumerCount}</td>
 <td>${row.enqueueCount}</td>
 <td>${row.dequeueCount}</td>
 <td>
-    <a href="browse.jsp?JMSDestination=${row.name}">Browse</a>
-	<a href="queueConsumers.jsp?JMSDestination=${row.name}">Active Consumers</a><br/>
-    <a href="queueBrowse/${row.name}?view=rss&feedType=atom_1.0" title="Atom 1.0"><img src="images/feed_atom.png"/></a>
-    <a href="queueBrowse/${row.name}?view=rss&feedType=rss_2.0" title="RSS 2.0"><img src="images/feed_rss.png"/></a>
+    <a href="browse.jsp?JMSDestination=<c:out value="${row.name}" />">Browse</a>
+	<a href="queueConsumers.jsp?JMSDestination=<c:out value="${row.name}" />">Active Consumers</a><br/>
+    <a href="queueBrowse/<c:out value="${row.name}" />?view=rss&feedType=atom_1.0" title="Atom 1.0"><img src="images/feed_atom.png"/></a>
+    <a href="queueBrowse/<c:out value="${row.name}" />?view=rss&feedType=rss_2.0" title="RSS 2.0"><img src="images/feed_rss.png"/></a>
 </td>
 <td>
-    <a href="send.jsp?JMSDestination=${row.name}&JMSDestinationType=queue">Send To</a>
-    <a href="purgeDestination.action?JMSDestination=${row.name}&JMSDestinationType=queue">Purge</a>
-    <a href="deleteDestination.action?JMSDestination=${row.name}&JMSDestinationType=queue">Delete</a>
+    <a href="send.jsp?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=queue">Send To</a>
+    <a href="purgeDestination.action?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=queue">Purge</a>
+    <a href="deleteDestination.action?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=queue">Delete</a>
 </td>
 </tr>
 </c:forEach>

activemq-web-console/src/main/webapp/send.jsp

@@ -37,7 +37,7 @@
 	    <label for="JMSDestination">Destination</label>
 	</td>
 	<td>
-	    <form:text name="JMSDestination" defaultValue="foo.bar"/>
+	    <form:text name="JMSDestination" defaultValue="foo.bar" />
 	</td>
 	<td class="label">
 	    <label for="queue">Queue or Topic</label>

activemq-web-console/src/main/webapp/topics.jsp

@@ -46,13 +46,13 @@
 <tbody>
 <c:forEach items="${requestContext.brokerQuery.topics}" var="row">
 <tr>
-<td><a href="send.jsp?JMSDestination=${row.name}&JMSDestinationType=topic"><form:tooltip text="${row.name}" length="50"/></a></td>
+<td><a href="send.jsp?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=topic"><form:tooltip text="${row.name}" length="50"/></a></td>
 <td>${row.consumerCount}</td>
 <td>${row.enqueueCount}</td>
 <td>${row.dequeueCount}</td>
 <td>
-    <a href="send.jsp?JMSDestination=${row.name}&JMSDestinationType=topic">Send To</a>
-    <a href="deleteDestination.action?JMSDestination=${row.name}&JMSDestinationType=topic">Delete</a>
+    <a href="send.jsp?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=topic">Send To</a>
+    <a href="deleteDestination.action?JMSDestination=<c:out value="${row.name}" />&JMSDestinationType=topic">Delete</a>
 </td>
 </tr>
 </c:forEach>

activemq-web/src/main/java/org/apache/activemq/web/BrokerFacadeSupport.java

@@ -172,6 +172,7 @@ public Collection<NetworkConnectorViewMBean> getNetworkConnectors() throws Excep
     @SuppressWarnings("unchecked")
     public Collection<SubscriptionViewMBean> getQueueConsumers(String queueName) throws Exception {
         String brokerName = getBrokerName();
+        queueName = StringUtils.replace(queueName, "\"", "_");
         ObjectName query = new ObjectName("org.apache.activemq:BrokerName=" + brokerName
                 + ",Type=Subscription,destinationType=Queue,destinationName=" + queueName + ",*");
         Set<ObjectName> queryResult = getManagementContext().queryNames(query, null);