Description
LogLevelServlet.java has the following code
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String logName = getParameter(request, "log"); String level = getParameter(request, "level"); response.setContentType("text/html;charset=utf-8"); response.setStatus(HttpServletResponse.SC_OK); PrintWriter out = response.getWriter(); if (logName != null) { Logger logInstance = LogManager.getLogger(logName); if (level == null) { out.write(String.format(FORMS_GET, escapeHtml(logName), logInstance.getEffectiveLevel().toString())); } else if (isLogLevelValid(level)) { logInstance.setLevel(Level.toLevel(level)); out.write(String.format(FORMS_SET, escapeHtml(logName), level, level, logInstance.getEffectiveLevel().toString())); } else { response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log level: " + level); return; } } out.write(FORMS_END); out.close(); response.flushBuffer(); }
As a result HTTP parameter is directly written to Servlet error page. Echoing this untrusted input to error message directly is a bad practice for security purpose. For best practice, we should escape the input string.
Attachments
Attachments
Issue Links
- links to