Tomcat 5.5.20で試す。
どうもjasperさんが怪しい。
<html> <head> </head> <body> Hello! </body> </html>
Tomcatに配備してJSPコンパイルすると、
public void _jspService(HttpServletRequest request, HttpServletResponse response)
throws java.io.IOException, ServletException {
JspFactory _jspxFactory = null;
PageContext pageContext = null;
HttpSession session = null;
ServletContext application = null;
ServletConfig config = null;
JspWriter out = null;
Object page = this;
JspWriter _jspx_out = null;
PageContext _jspx_page_context = null;
try {
_jspxFactory = JspFactory.getDefaultFactory();
response.setContentType("text/html");
pageContext = _jspxFactory.getPageContext(this, request, response,
null, true, 8192, true);
JSP呼んだら、即セッションが生成されてしまうな。これって仕様なんだろうか。Session Fixation対策とか、こういう実装を前提に考えないとまずいんかなぁ。それとも単にJasperの脆弱性ってことなんだろうか。
あれ?
なんかStruts2は無実のような...
2006-11-30 21:59:32.562::WARN: Exception initializing page context
java.lang.RuntimeException: getSession() called.
at TrapFilter$1.getSession(TrapFilter.java:23)
at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRe
questWrapper.java:224)
at org.apache.jasper.runtime.PageContextImpl._initialize(PageContextImpl
.java:172)
at org.apache.jasper.runtime.PageContextImpl.initialize(PageContextImpl.
java:146)
罠を仕掛ける。
public class TrapFilter implements Filter {
public void init(FilterConfig filterConfig) {}
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain)
throws IOException, ServletException
{
request = new HttpServletRequestWrapper((HttpServletRequest)request) {
public HttpSession getSession() {
throw new RuntimeException("getSession() called.");
}
public HttpSession getSession(boolean create) {
if (create) throw new RuntimeException("getSession(true) called.");
return super.getSession(create);
}
};
chain.doFilter(request, response);
}
public void destroy() {}
}
