Some security scanners (e.g. Nessus) call Sakai URLs like /portal/help/TOCDisplay/content.hlp which results in the help contentservlet throwing an NPE, which is a little annoying as it generates lots of spurious bug reports.
ContentServlet should just return a bad request response, e.g. (untested):
org.sakaiproject.portal.api.PortalHandlerException: java.lang.NullPointerException at org.sakaiproject.portal.charon.SkinnableCharonPortal.doGet(SkinnableCharonPortal.java:913) caused by: java.lang.NullPointerException at org.sakaiproject.tool.help.ContentServlet.doGet(ContentServlet.java:83) at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:487) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:412) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339) at org.sakaiproject.jsf.util.JsfTool.dispatch(JsfTool.java:138) at org.sakaiproject.tool.help.HelpJsfTool.dispatch(HelpJsfTool.java:96) at org.sakaiproject.jsf.util.JsfTool.doGet(JsfTool.java:242) at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:487) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339) at org.sakaiproject.tool.impl.ActiveToolComponent$MyActiveTool.forward(ActiveToolComponent.java:513) at org.sakaiproject.portal.charon.SkinnableCharonPortal.forwardTool(SkinnableCharonPortal.java:1518) at org.sakaiproject.portal.charon.handlers.HelpHandler.doHelp(HelpHandler.java:107) at org.sakaiproject.portal.charon.handlers.HelpHandler.doGet(HelpHandler.java:69) at org.sakaiproject.portal.charon.SkinnableCharonPortal.doGet(SkinnableCharonPortal.java:913) at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:695) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:722)
Attachments
1
Activity
Show:
Stephen Marquard May 9, 2014 at 5:04 AM
Looks like this is already in 10.x so updating fix version.
Matthew Jones December 3, 2013 at 3:01 PM
Patch committed, thanks
Stephen Marquard December 2, 2013 at 8:00 AM
Patch which applies to trunk. Tested successfully on our 2-9-x system.
Some security scanners (e.g. Nessus) call Sakai URLs like /portal/help/TOCDisplay/content.hlp which results in the help contentservlet throwing an NPE, which is a little annoying as it generates lots of spurious bug reports.
ContentServlet should just return a bad request response, e.g. (untested):
Index: help-tool/src/java/org/sakaiproject/tool/help/ContentServlet.java
===================================================================
— help-tool/src/java/org/sakaiproject/tool/help/ContentServlet.java (revision 117719)
+++ help-tool/src/java/org/sakaiproject/tool/help/ContentServlet.java (working copy)
@@ -70,6 +70,11 @@
getHelpManager().initialize();
String docId = req.getParameter(DOC_ID);
+ if (docId == null) {
+ res.sendError(HttpServletResponse.SC_BAD_REQUEST);
+ return;
+ }
+
OutputStreamWriter writer = new OutputStreamWriter(res.getOutputStream(), "UTF-8");
try {
res.setContentType(TEXT_HTML);
2013-12-02 06:40:15,801 INFO http-bio-8082-exec-8 org.sakaiproject.email.impl.BasicEmailService - send: from: "sakai/trunk on Oracle"<no-reply@nightly2.sakaiproject.org> to: subject: Bug Report: 5286C84E9DC6C2DF7B610305B25A62737C395D65 / null headerTo: replyTo: null content: bug-id: c2d6210e-8df3-40c5-8941-0a0b209ddad6
user: null (null)
email: null
usage-session: null
stack-trace-digest: 5286C84E9DC6C2DF7B610305B25A62737C395D65
sakai-version: Revision: 132060
service-version: Built: 12/02/13 04:00
app-server: sakai-nightly.uits.iupui.edu
request-path: /portal/help/TOCDisplay/content.hlp
time: Dec 2, 2013 06:40:15
stack trace:
org.sakaiproject.portal.api.PortalHandlerException: java.lang.NullPointerException
at org.sakaiproject.portal.charon.SkinnableCharonPortal.doGet(SkinnableCharonPortal.java:913)
caused by: java.lang.NullPointerException
at org.sakaiproject.tool.help.ContentServlet.doGet(ContentServlet.java:83)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:487)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:412)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339)
at org.sakaiproject.jsf.util.JsfTool.dispatch(JsfTool.java:138)
at org.sakaiproject.tool.help.HelpJsfTool.dispatch(HelpJsfTool.java:96)
at org.sakaiproject.jsf.util.JsfTool.doGet(JsfTool.java:242)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:487)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339)
at org.sakaiproject.tool.impl.ActiveToolComponent$MyActiveTool.forward(ActiveToolComponent.java:513)
at org.sakaiproject.portal.charon.SkinnableCharonPortal.forwardTool(SkinnableCharonPortal.java:1518)
at org.sakaiproject.portal.charon.handlers.HelpHandler.doHelp(HelpHandler.java:107)
at org.sakaiproject.portal.charon.handlers.HelpHandler.doGet(HelpHandler.java:69)
at org.sakaiproject.portal.charon.SkinnableCharonPortal.doGet(SkinnableCharonPortal.java:913)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:695)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:722)