package com.test;
// Decompiled by Jad v1.5.8g. Copyright 2001 Pavel Kouznetsov.
// Jad home page: http://www.kpdus.com/jad.html
// Decompiler options: packimports(3)
// Source File Name: BadInputFilter.java
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.Writer;
import java.lang.reflect.Method;
import java.util.*;
import java.util.regex.*;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
public class BadInputFilter
implements Filter
{
private static Log log = LogFactory.getLog("com/oreilly/tomcat/valve/BadInputFilter");
public BadInputFilter()
{
escapeQuotes = false;
escapeAngleBrackets = false;
escapeJavaScript = false;
quotesHashMap = new HashMap();
angleBracketsHashMap = new HashMap();
javaScriptHashMap = new HashMap();
allow = null;
allows = new Pattern[0];
denies = new Pattern[0];
deny = null;
parameterEscapes = new HashMap();
quotesHashMap.put("\"", """);
quotesHashMap.put("'", "'");
quotesHashMap.put("`", "`");
angleBracketsHashMap.put("<", "<");
angleBracketsHashMap.put(">", ">");
javaScriptHashMap.put("document(.*)\\.(.*)cookie", "document.cookie");
javaScriptHashMap.put("eval(\\s*)\\(", "eval(");
javaScriptHashMap.put("setTimeout(\\s*)\\(", "setTimeout$1(");
javaScriptHashMap.put("setInterval(\\s*)\\(", "setInterval$1(");
javaScriptHashMap.put("execScript(\\s*)\\(", "exexScript$1(");
javaScriptHashMap.put("(?i)javascript(?-i):", "javascript:");
}
public boolean getEscapeQuotes()
{
return escapeQuotes;
}
public void setEscapeQuotes(boolean escapeQuotes)
{
this.escapeQuotes = escapeQuotes;
if(escapeQuotes)
parameterEscapes.putAll(quotesHashMap);
}
public boolean getEscapeAngleBrackets()
{
return escapeAngleBrackets;
}
public void setEscapeAngleBrackets(boolean escapeAngleBrackets)
{
this.escapeAngleBrackets = escapeAngleBrackets;
if(escapeAngleBrackets)
parameterEscapes.putAll(angleBracketsHashMap);
}
public boolean getEscapeJavaScript()
{
return escapeJavaScript;
}
public void setEscapeJavaScript(boolean escapeJavaScript)
{
this.escapeJavaScript = escapeJavaScript;
if(escapeJavaScript)
parameterEscapes.putAll(javaScriptHashMap);
}
public String getAllow()
{
return allow;
}
public void setAllow(String allow)
{
this.allow = allow;
allows = precalculate(allow);
servletContext.log((new StringBuilder("BadInputFilter: allow = ")).append(deny).toString());
}
public String getDeny()
{
return deny;
}
public void setDeny(String deny)
{
this.deny = deny;
denies = precalculate(deny);
servletContext.log((new StringBuilder("BadInputFilter: deny = ")).append(deny).toString());
}
public void init(FilterConfig filterConfig)
throws ServletException
{
servletContext = filterConfig.getServletContext();
setAllow(filterConfig.getInitParameter("allow"));
setDeny(filterConfig.getInitParameter("deny"));
String initParam = filterConfig.getInitParameter("escapeQuotes");
if(initParam != null)
{
boolean flag = Boolean.parseBoolean(initParam);
setEscapeQuotes(flag);
}
initParam = filterConfig.getInitParameter("escapeAngleBrackets");
if(initParam != null)
{
boolean flag = Boolean.parseBoolean(initParam);
setEscapeAngleBrackets(flag);
}
initParam = filterConfig.getInitParameter("escapeJavaScript");
if(initParam != null)
{
boolean flag = Boolean.parseBoolean(initParam);
setEscapeJavaScript(flag);
}
servletContext.log((new StringBuilder(String.valueOf(toString()))).append(" initialized.").toString());
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
throws IOException, ServletException
{
request.setCharacterEncoding("UTF-8");
log.warn((new StringBuilder("doFilter \"")).append(request.toString()));
if(!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse))
{
filterChain.doFilter(request, response);
return;
}
if(processAllowsAndDenies(request, response))
{
filterParameters(request);
filterChain.doFilter(request, response);
}
CachedResponseWrapper wrapper = new CachedResponseWrapper(
(HttpServletResponse) response);
try {
filterChain.doFilter(request, wrapper);
} catch (Exception e) {
e.printStackTrace();
}
}
public boolean processAllowsAndDenies(ServletRequest request, ServletResponse response)
throws IOException, ServletException
{
request.setCharacterEncoding("UTF-8");
// Map paramMap = request.getParameterMap();
Map paramMap = new HashMap();
paramMap.put("^\\w+$", "javascript:");
// paramMap.put("<", "<");
for(Iterator y = paramMap.keySet().iterator(); y.hasNext();)
{
String name = (String)y.next();
String values[] = request.getParameterValues(name);
if(!checkAllowsAndDenies(name, response))
return false;
if(values != null)
{
for(int i = 0; i < values.length; i++)
{
String value = values[i];
if(!checkAllowsAndDenies(value, response))
return false;
}
}
}
return true;
}
public boolean checkAllowsAndDenies(String property, ServletResponse response)
throws IOException, ServletException
{
if(denies.length == 0 && allows.length == 0)
return true;
for(int i = 0; i < denies.length; i++)
{
Matcher m = denies[i].matcher(property);
if(m.find() && (response instanceof HttpServletResponse))
{
HttpServletResponse hres = (HttpServletResponse)response;
hres.sendError(403);
return false;
}
}
for(int i = 0; i < allows.length; i++)
{
Matcher m = allows[i].matcher(property);
if(m.find())
return true;
}
if(denies.length > 0 && allows.length == 0)
return true;
if(response instanceof HttpServletResponse)
{
HttpServletResponse hres = (HttpServletResponse)response;
hres.sendError(403);
}
return false;
}
public void filterParameters(ServletRequest request)
{
Map paramMap = ((HttpServletRequest)request).getParameterMap();
try
{
if(setLockedMethod == null)
setLockedMethod = paramMap.getClass().getMethod("setLocked", new Class[] {
Boolean.TYPE
});
setLockedMethod.invoke(paramMap, new Object[] {
Boolean.FALSE
});
}
catch(Exception e)
{