49 lines
2.1 KiB
Diff
49 lines
2.1 KiB
Diff
From 1d88dd3ffaed76188dd4ee32ce77709ce6e153cd Mon Sep 17 00:00:00 2001
|
|
From: Mark Thomas <markt@apache.org>
|
|
Date: Mon, 2 Dec 2024 16:36:31 +0000
|
|
Subject: [PATCH] Obfuscate session cookie values for JSON output as well as
|
|
HTML
|
|
|
|
Origin: https://github.com/apache/tomcat/commit/1d88dd3ffaed76188dd4ee32ce77709ce6e153cd
|
|
---
|
|
webapps/docs/changelog.xml | 4 ++++
|
|
.../WEB-INF/classes/RequestHeaderExample.java | 18 +++++++++++++++---
|
|
2 files changed, 19 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/webapps/examples/WEB-INF/classes/RequestHeaderExample.java b/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
|
|
index b01c84f33e48..e32f8c233674 100644
|
|
--- a/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
|
|
+++ b/webapps/examples/WEB-INF/classes/RequestHeaderExample.java
|
|
@@ -73,7 +73,7 @@ protected boolean prefersJSON(String acceptHeader) {
|
|
|
|
// text/html, application/html, etc.
|
|
if (accept.contains("html")) {
|
|
- return false;
|
|
+ return true;
|
|
}
|
|
}
|
|
return false;
|
|
@@ -138,8 +138,20 @@ protected void renderJSON(HttpServletRequest request, HttpServletResponse respon
|
|
String headerName = e.nextElement();
|
|
String headerValue = request.getHeader(headerName);
|
|
|
|
- out.append("{\"").append(JSONFilter.escape(headerName)).append("\":\"")
|
|
- .append(JSONFilter.escape(headerValue)).append("\"}");
|
|
+ out.append("{\"").append(JSONFilter.escape(headerName)).append("\":\"");
|
|
+
|
|
+
|
|
+ if (headerName.toLowerCase(Locale.ENGLISH).contains("cookie")) {
|
|
+ HttpSession session = request.getSession(false);
|
|
+ String sessionId = null;
|
|
+ if (session != null) {
|
|
+ sessionId = session.getId();
|
|
+ }
|
|
+ out.append(JSONFilter.escape(CookieFilter.filter(headerValue, sessionId)));
|
|
+ } else {
|
|
+ out.append(JSONFilter.escape(headerValue));
|
|
+ }
|
|
+ out.append("\"}");
|
|
|
|
if (e.hasMoreElements()) {
|
|
out.append(',');
|