fix some servlet issues

1. 'ant clean runserver' fails because we're no longer building the
tools servlet.  in the appengine logs, there are zero uses of the
tools in the past 90 days, so I'm just deleting them from web.xml.
If anyone complains, I can re-enable it and fix the build.

2. In some cases, IE will disbelieve content-type: application/json
and interpret the result as html instead.  This is not particularly
exploitable, since caja.appspot.com has no cookies and no authority,
but if someone deploys the caja servlet to their own host, they
might be vulnerable to the XSS.
- to fix that for IE >= 8, I'm emitting X-Content-Type-Options: nosniff
- to fix that for IE7, I'm rejecting request URLs that contain ';'
- IE6 users lose, they're vulnerable.  Fixing that is complicated
and doesn't seem worth it.

[kpreid1, 2012-06-17 15:07:36]

On Jun 17, 2012, at 10:58, felix8a@gmail.com wrote:

> 2. In some cases, IE will disbelieve content-type: application/json
> and interpret the result as html instead.  This is not particularly
> exploitable, since caja.appspot.com has no cookies and no authority,
> but if someone deploys the caja servlet to their own host, they
> might be vulnerable to the XSS.
> - to fix that for IE >= 8, I'm emitting X-Content-Type-Options: nosniff
> - to fix that for IE7, I'm rejecting request URLs that contain ';'
> - IE6 users lose, they're vulnerable.  Fixing that is complicated
> and doesn't seem worth it.

How about including code comments explaining the hazard, particularly for the
";" test which is mysterious?

-- 
Kevin Reid                                  <http://switchb.org/kpreid/>

[felix8a, 2012-06-17 17:19:53]

> How about including code comments explaining the hazard, particularly for the
> ";" test which is mysterious?

It's stupid, it's not really worth explaining.  I've added a short comment.

If you have a url like http://example.com/foo;bar.html the ";bar.html" is a "URL
path parameter", and some servers do not consider that part of the URL path.  In
particular, all servlet containers will dispatch to whatever servlet handles
/foo, completely ignoring the ;bar.html part.

IE on the other hand thinks the whole thing is the path, so it thinks the URL is
referring to a resource with an .html suffix, and under some circumstances will
ignore the content-type header because it's obviously a mistake, so we'll
pretend you said text/html like you should have.

X-Content-Type-Options: nosniff was invented in the IE8 "I guess we should pay
attention to security" days, because they discovered that turning off content
sniffing broke people's webpages.

The IE6 problem is, it sometimes thinks http://example.com/foo?bar.html is a
resource with a .html suffix.

[ihab.awad, 2012-06-20 22:55:36]

lgtm++ -- just a little comment / suggestion.

http://codereview.appspot.com/6304091/diff/4001/web.xml
File web.xml (left):

http://codereview.appspot.com/6304091/diff/4001/web.xml#oldcode23
web.xml:23:
<servlet-class>com.google.caja.ancillary.servlet.MainServlet</servlet-class>
Can we delete the whole bunch of code from our codebase at this point?

[felix8a, 2012-06-20 23:08:08]

On 2012/06/20 22:55:36, ihab.awad wrote:
> lgtm++ -- just a little comment / suggestion.
> 
> http://codereview.appspot.com/6304091/diff/4001/web.xml
> File web.xml (left):
> 
> http://codereview.appspot.com/6304091/diff/4001/web.xml#oldcode23
> web.xml:23:
> <servlet-class>com.google.caja.ancillary.servlet.MainServlet</servlet-class>
> Can we delete the whole bunch of code from our codebase at this point?

sure, I'll file a separate CL for that

[felix8a, 2012-06-20 23:09:06]

@r4928