September 2011 - gatein-commits - Jboss List Archives

gatein SVN: r7404 - in epp/portal/branches/EPP_5_2_Branch: distribution/jboss-epp/serverAddon/src/main/resources/conf/gatein/gadgets and 1 other directories.

by do-not-reply＠jboss.org

Author: theute Date: 2011-09-14 04:05:34 -0400 (Wed, 14 Sep 2011) New Revision: 7404 Added: epp/portal/branches/EPP_5_2_Branch/distribution/jboss-epp/serverAddon/src/main/resources/conf/gatein/gadgets/ epp/portal/branches/EPP_5_2_Branch/distribution/jboss-epp/serverAddon/src/main/resources/conf/gatein/gadgets/oauthkey.pem Modified: epp/portal/branches/EPP_5_2_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ExoContainerConfig.java epp/portal/branches/EPP_5_2_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ExoDefaultSecurityTokenGenerator.java epp/portal/branches/EPP_5_2_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ExoOAuthModule.java Log: JBEPP-1167: Gadgets dont work under loadbalancing Added: epp/portal/branches/EPP_5_2_Branch/distribution/jboss-epp/serverAddon/src/main/resources/conf/gatein/gadgets/oauthkey.pem =================================================================== --- epp/portal/branches/EPP_5_2_Branch/distribution/jboss-epp/serverAddon/src/main/resources/conf/gatein/gadgets/oauthkey.pem (rev 0) +++ epp/portal/branches/EPP_5_2_Branch/distribution/jboss-epp/serverAddon/src/main/resources/conf/gatein/gadgets/oauthkey.pem 2011-09-14 08:05:34 UTC (rev 7404) @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMxjO7Zklvoy3z1H +GNhw9vTVyUydrs8lOb5Sd4NgQsqMboRng276/wOLt7Y/Gk2VbhwLBSISSJYGtkfx +LVxrPgJggAb5WYpdlcGCY0Ig2BFXM22PT8TjGLljP4bW4YKRoH7WaF4laR7Ws7pK +Avq0nkuYRgIYa7SaP6/EPxbaLicHAgMBAAECgYAlLXPCJJ/12OUUj2csj7fMJ0sb +fZ87nMjZHsUQh6T+lPbRbMbSnCNg8Lw1EVtme2TxAuwnG25Ko+PqSCt5ISTBFH9g +ZUij/Eivjq/CX9bJ0wsomWO+74TtjjKNgdtfj4UNFIv6G44w02seCczLxaemW+25 +bks1XiQPeLNTfuPFAQJBAPXmt77wncLw7qbC3z7kR3pr7X4Eh0WCAUWlXigLYAoT +XX52fDEPlnIHvuyDqwJtxZstNc7Kn8IIBjxuSn1ls4ECQQDUyA/tkpRSu2sgiDRV +hpNMfbiIxZM6w9uA1aD0OUvOYhqAceaaYsI7qAVPTluw09wW/lrbmb6NPXJ++O4o +s36HAkEAkcPnjj9SNZnezmncLorhuDc8PCRxD4oGOQPTMce0caSTGoEgE3EbDJN8 +4PUYLUNnDRqat++zDjD1iWMTswvTgQJAetcg8uube4O9neNkKzftE8zE2xkNHXDy +6Rbru/LUA8r5N8wJ8HkxXxVqM1Wuc5Br0E55j6vbqVifIBSAEblGQwJAdbmoUNia +AmNvfz67DF3nfMbLqb4l3uR2caaz1Xik93VvbVYD/mdzGukVrPk4U8u2/bOsphUE +CPS2uizmGzwXCQ== +-----END PRIVATE KEY----- Modified: epp/portal/branches/EPP_5_2_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ExoContainerConfig.java =================================================================== --- epp/portal/branches/EPP_5_2_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ExoContainerConfig.java 2011-09-14 08:03:19 UTC (rev 7403) +++ epp/portal/branches/EPP_5_2_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ExoContainerConfig.java 2011-09-14 08:05:34 UTC (rev 7404) @@ -29,8 +29,9 @@ import org.apache.shindig.config.ContainerConfigException; import org.apache.shindig.config.JsonContainerConfig; import org.apache.shindig.expressions.Expressions; +import org.exoplatform.commons.utils.PropertyManager; import org.exoplatform.commons.utils.Safe; -import org.exoplatform.container.monitor.jvm.J2EEServerInfo; +import org.exoplatform.container.RootContainer; import org.exoplatform.services.log.ExoLogger; import org.exoplatform.services.log.Log; @@ -42,19 +43,19 @@ import java.security.SecureRandom; /** - * <p>The goal of the container config subclass is to integrate security key file along + * <p>The goal of the container config subclass is to integrate security key files along * with exo configuration.</p> - * - * <p>The implementation first determine the most relevant directory for performing the key lookup. - * It will look for a <i>gadgets</i> directory under the configuration directory returned by the - * {@link org.exoplatform.container.monitor.jvm.J2EEServerInfo#getExoConfigurationDirectory()} - * method. If no such valid directory can be found then the implementation use the current execution directory + * <p> + * The implementation first determine the most relevant locations of key files for performing the lookup. + * Ideally it will take ones configured as properties <i>gatein.gadgets.securityTokenKeyFile</i> + * and <i>gatein.gadgets.signingKeyFile</i> in the <i>configuration.properties</i>. + * If these properties are not configured, then the implementation uses the current execution directory * (which should be /bin in tomcat and jboss).</p> * - * <p>When the lookup directory is determined, the implementation looks for a file named key.txt. - * If no such file is found, then it will attempt to create it with a base 64 value encoded from + * <p>When the lookup file locations are determined, the implementation looks for these key files. + * If no such files are found, then it will attempt to create them with a base 64 value encoded from * a 32 bytes random sequence generated by {@link SecureRandom} seeded by the current time. If the - * file exist already but is a directory then no acton is done.<p> + * file exist already but is a directory then no action is done.<p> * * @author <a href="mailto:julien.viet@exoplatform.com">Julien Viet</a> * @version $Revision$ @@ -69,7 +70,8 @@ private Log log = ExoLogger.getLogger(ExoContainerConfig.class); /** . */ - private static volatile String _keyPath; + private static volatile String tokenKey_; + private String signingKey_; @Inject public ExoContainerConfig(@Named("shindig.containers.default") String s, Expressions expressions) @@ -77,109 +79,134 @@ { super(s, expressions); - // - J2EEServerInfo info = new J2EEServerInfo(); + // This ensures RootContainer initialized first + // to populate properties in configuration.properties into PropertyManager + RootContainer.getInstance(); + + initializeTokenKeyFile(); + initializeSigningKeyFile(); + } + + private void initializeTokenKeyFile() + { + String keyPath = PropertyManager.getProperty("gatein.gadgets.securityTokenKeyFile"); + + File tokenKeyFile = null; + if (keyPath == null) + { + log.warn("The gadgets token key is not configured. The default key.txt file in /bin will be used"); + tokenKeyFile = new File("key.txt"); + } + else + { + tokenKeyFile = new File(keyPath); + } + + boolean isCreated = initializeKeyFile(tokenKeyFile); + if (isCreated) + { + setTokenKeyPath(tokenKeyFile.getAbsolutePath()); + } + } - // - String confPath = info.getExoConfigurationDirectory(); - - File keyFile = null; - if (confPath != null) + private void initializeSigningKeyFile() + { + String signingKey = PropertyManager.getProperty("gatein.gadgets.signingKeyFile"); + + File signingKeyFile; + if (signingKey == null) { - File confDir = new File(confPath); - if (!confDir.exists()) + log.warn("The gadgets signing key is not configured. The default oauthkey.pem file in /bin will be used"); + signingKeyFile = new File("oauthkey.pem"); + } + else + { + signingKeyFile = new File(signingKey); + } + + boolean isCreated = initializeKeyFile(signingKeyFile); + if (isCreated) + { + signingKey_ = signingKeyFile.getAbsolutePath(); + } + } + + private boolean initializeKeyFile(File file) + { + String keyPath = file.getAbsolutePath(); + if (file.exists()) + { + if (file.isFile()) { - log.debug("Exo conf directory (" + confPath + ") does not exist"); + log.info("Found key file " + keyPath + " for gadgets security"); } else { - if (!confDir.isDirectory()) - { - log.debug("Exo conf directory (" + confPath + ") is not a directory"); - } - else - { - keyFile = new File(confDir, "gadgets/key.txt"); - } + log.error("Found path file " + keyPath + " but it's not a key file"); } } - - if (keyFile == null) + else { - keyFile = new File("key.txt"); - } - - String keyPath = keyFile.getAbsolutePath(); - - if (!keyFile.exists()) - { - log.debug("No key file found at path " + keyPath + " generating a new key and saving it"); - File fic = keyFile.getAbsoluteFile(); + log.debug("No key file found at path " + keyPath + ". it's generating a new key and saving it"); + File fic = file.getAbsoluteFile(); File parentFolder = fic.getParentFile(); - if (!parentFolder.exists()) - parentFolder.mkdirs(); + if (!parentFolder.exists()) { + if (!parentFolder.mkdirs()) + { + log.error("Coult not create parent folder/s for the key file " + keyPath); + return false; + } + } String key = generateKey(); Writer out = null; try { - out = new FileWriter(keyFile); + out = new FileWriter(file); out.write(key); out.write('\n'); - log.info("Generated key file " + keyPath + " for eXo Gadgets"); - setKeyPath(keyPath); + log.debug("Generated key file " + keyPath + " for eXo Gadgets"); } catch (IOException e) { - log.error("Coult not create key file " + keyPath, e); + log.error("Could not create key file " + keyPath, e); + return false; } finally { Safe.close(out); } } - else if (!keyFile.isFile()) - { - log.debug("Found key file " + keyPath + " but it's not a file"); - } - else - { - log.info("Found key file " + keyPath + " for gadgets security"); - setKeyPath(keyPath); - } + return true; } - - private void setKeyPath(String keyPath) + + private void setTokenKeyPath(String keyPath) { // _keyPath is volatile so no concurrent writes and read are safe synchronized (ExoContainerConfig.class) { - if (_keyPath != null && !_keyPath.equals(keyPath)) + if (tokenKey_ != null && !tokenKey_.equals(keyPath)) { - throw new IllegalStateException("There is already a configured key path old=" + _keyPath + " new=" + throw new IllegalStateException("There is already a configured key path old=" + tokenKey_ + " new=" + keyPath); } - _keyPath = keyPath; + tokenKey_ = keyPath; } } @Override public Object getProperty(String container, String property) { - if (property.equals(BlobCrypterSecurityTokenCodec.SECURITY_TOKEN_KEY_FILE) && _keyPath != null) + if (property.equals(BlobCrypterSecurityTokenCodec.SECURITY_TOKEN_KEY_FILE) && tokenKey_ != null) { - return _keyPath; + return tokenKey_; } + if (property.equals(ExoOAuthModule.SIGNING_KEY_FILE) && signingKey_ != null) + { + return signingKey_; + } return super.getProperty(container, property); } - // @Override - // public Object getJson(String container, String parameter) { - // if (parameter.equals(BlobCrypterSecurityTokenDecoder.SECURITY_TOKEN_KEY_FILE) && _keyPath != null) { - // return _keyPath; - // } - // return super.getJson(container, parameter); - // } - /** * It's not public as we don't want to expose it to the outter world. The fact that this class * is instantiated by Guice and the ExoDefaultSecurityTokenGenerator is managed by exo kernel @@ -187,9 +214,9 @@ * * @return the key path */ - static String getKeyPath() + static String getTokenKeyPath() { - return _keyPath; + return tokenKey_; } /** Modified: epp/portal/branches/EPP_5_2_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ExoDefaultSecurityTokenGenerator.java =================================================================== --- epp/portal/branches/EPP_5_2_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ExoDefaultSecurityTokenGenerator.java 2011-09-14 08:03:19 UTC (rev 7403) +++ epp/portal/branches/EPP_5_2_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ExoDefaultSecurityTokenGenerator.java 2011-09-14 08:05:34 UTC (rev 7404) @@ -27,70 +27,23 @@ import org.apache.shindig.common.crypto.BlobCrypter; import org.apache.shindig.common.crypto.BlobCrypterException; import org.apache.shindig.common.util.TimeSource; -import org.exoplatform.container.monitor.jvm.J2EEServerInfo; import org.exoplatform.web.application.RequestContext; public class ExoDefaultSecurityTokenGenerator implements SecurityTokenGenerator { - private String containerKey; - private final TimeSource timeSource; public ExoDefaultSecurityTokenGenerator() throws Exception { - // TODO should be moved to config - // generateKeys("RSA", 1024); - this.containerKey = getKeyFilePath(); this.timeSource = new TimeSource(); } - // private static void generateKeys(String keyAlgorithm, int numBits) { - // FileOutputStream keyFile = null; - // try { - // keyFile = new FileOutputStream("exokey.pem"); - // - // // RSA private key - // - // CertAndKeyGen cakg = new CertAndKeyGen(keyAlgorithm, "SHA1WithRSA"); - // cakg.generate(1024); - // - // PrivateKey privateKey = cakg.getPrivateKey(); - // - // keyFile.write("-----BEGIN RSA PRIVATE KEY-----\n".getBytes()); - // // wrap at 64 - // int wrapIndex = 64; - // StringBuffer sb = new StringBuffer(new String(Base64.encode(privateKey.getEncoded()))); - // for (int i = wrapIndex; i < sb.length(); i = i + wrapIndex + 1) { - // sb.insert(i, "\n"); - // } - // keyFile.write((sb.toString()).getBytes()); - // keyFile.write("\n-----END RSA PRIVATE KEY-----\n".getBytes()); - // - // X500Name name = new X500Name("One", "Two", "Three", "Four", "Five", "Six"); - // - // X509Certificate certificate = cakg.getSelfCertificate(name, 2000000); - // System.out.println("\n CN: " + certificate.getSubjectDN()); - // keyFile.write("-----BEGIN CERTIFICATE-----\n".getBytes()); - // // wrap at 64 - // wrapIndex = 64; - // sb = new StringBuffer(new String(Base64.encode(certificate.getEncoded()))); - // for (int i = wrapIndex; i < sb.length(); i = i + wrapIndex + 1) { - // sb.insert(i, "\n"); - // } - // keyFile.write(sb.toString().getBytes()); - // keyFile.write("\n-----END CERTIFICATE-----".getBytes()); - // } catch (Exception e) { - // e.printStackTrace(); - // } finally { - // Safe.close(keyFile); - // } - // } - protected String createToken(String gadgetURL, String owner, String viewer, Long moduleId, String container) { try { - BlobCrypterSecurityToken t = new BlobCrypterSecurityToken(getBlobCrypter(this.containerKey), container, null); + BlobCrypter blobCrypter = getBlobCrypter(); + BlobCrypterSecurityToken t = new BlobCrypterSecurityToken(blobCrypter, container, null); t.setAppUrl(gadgetURL); t.setModuleId(moduleId); @@ -102,13 +55,11 @@ } catch (IOException e) { - e.printStackTrace(); // To change body of catch statement use File | - // Settings | File Templates. + e.printStackTrace(); } catch (BlobCrypterException e) { - e.printStackTrace(); // To change body of catch statement use File | - // Settings | File Templates. + e.printStackTrace(); } return null; } @@ -123,8 +74,9 @@ return createToken(gadgetURL, viewer, rUser, moduleId, "default"); } - private BlobCrypter getBlobCrypter(String fileName) throws IOException + protected BlobCrypter getBlobCrypter() throws IOException { + String fileName = getKeyFilePath(); BasicBlobCrypter c = new BasicBlobCrypter(new File(fileName)); c.timeSource = timeSource; return c; @@ -133,22 +85,19 @@ /** * Method returns a path to the file containing the encryption key */ - private String getKeyFilePath(){ - J2EEServerInfo info = new J2EEServerInfo(); - String confPath = info.getExoConfigurationDirectory(); - File keyFile = null; - - if (confPath != null) { - File confDir = new File(confPath); - if (confDir != null && confDir.exists() && confDir.isDirectory()) { - keyFile = new File(confDir, "gadgets/key.txt"); - } - } + protected String getKeyFilePath() + { + String keyPath = ExoContainerConfig.getTokenKeyPath(); + File keyFile = null; + if (keyPath != null) + { + keyFile = new File(keyPath); + } + else + { + keyFile = new File("key.txt"); + } - if (keyFile == null) { - keyFile = new File("key.txt"); - } - - return keyFile.getAbsolutePath(); + return keyFile.getAbsolutePath(); } } Modified: epp/portal/branches/EPP_5_2_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ExoOAuthModule.java =================================================================== --- epp/portal/branches/EPP_5_2_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ExoOAuthModule.java 2011-09-14 08:03:19 UTC (rev 7403) +++ epp/portal/branches/EPP_5_2_Branch/gadgets/core/src/main/java/org/exoplatform/portal/gadget/core/ExoOAuthModule.java 2011-09-14 08:05:34 UTC (rev 7404) @@ -19,6 +19,8 @@ package org.exoplatform.portal.gadget.core; +import com.google.inject.Singleton; + import java.util.logging.Level; import java.util.logging.Logger; @@ -28,7 +30,6 @@ import org.apache.shindig.common.crypto.BlobCrypter; import org.apache.shindig.common.util.ResourceLoader; import org.apache.shindig.config.ContainerConfig; -import org.apache.shindig.gadgets.http.HttpFetcher; import org.apache.shindig.gadgets.oauth.BasicOAuthStore; import org.apache.shindig.gadgets.oauth.BasicOAuthStoreConsumerKeyAndSecret; import org.apache.shindig.gadgets.oauth.OAuthFetcherConfig; @@ -50,18 +51,14 @@ */ public class ExoOAuthModule extends OAuthModule { - private static final String SIGNING_KEY_FILE = "gadgets.signingKeyFile"; + public static final String SIGNING_KEY_FILE = "gadgets.signingKeyFile"; private static final String SIGNING_KEY_NAME = "gadgets.signingKeyName"; private static final String CALLBACK_URL = "gadgets.signing.global-callback-url"; private static final String OAUTH_CONFIG = "config/oauth.json"; - private static final String OAUTH_SIGNING_KEY_FILE = "shindig.signing.key-file"; - private static final String OAUTH_SIGNING_KEY_NAME = "shindig.signing.key-name"; - private static final String OAUTH_CALLBACK_URL = "shindig.signing.global-callback-url"; - private static final Logger logger = Logger.getLogger(OAuthModule.class.getName()); @Override @@ -80,6 +77,7 @@ Boolean.TRUE); } + @Singleton public static class ExoOAuthStoreProvider implements Provider<OAuthStore> { @@ -88,18 +86,13 @@ @Inject public ExoOAuthStoreProvider(ContainerConfig config) { - //super(config.getString(ContainerConfig.DEFAULT_CONTAINER, SIGNING_KEY_FILE), config.getString(ContainerConfig.DEFAULT_CONTAINER, SIGNING_KEY_NAME)); -// super(config.getString(ContainerConfig.DEFAULT_CONTAINER, SIGNING_KEY_FILE), config.getString( -// ContainerConfig.DEFAULT_CONTAINER, SIGNING_KEY_NAME), config.getString(ContainerConfig.DEFAULT_CONTAINER, -// CALLBACK_URL)); - store = new ExoOAuthStore(); String signingKeyFile = config.getString(ContainerConfig.DEFAULT_CONTAINER, SIGNING_KEY_FILE); String signingKeyName = config.getString(ContainerConfig.DEFAULT_CONTAINER, SIGNING_KEY_NAME); - String defaultCallbackUrl = config.getString(ContainerConfig.DEFAULT_CONTAINER,CALLBACK_URL); - loadDefaultKey(signingKeyFile, signingKeyName); + + String defaultCallbackUrl = config.getString(ContainerConfig.DEFAULT_CONTAINER,CALLBACK_URL); store.setDefaultCallbackUrl(defaultCallbackUrl); loadConsumers(); } @@ -128,8 +121,7 @@ " openssl pkcs8 -in testkey.pem -out oauthkey.pem -topk8 -nocrypt -outform PEM\n" + '\n' + "Then edit gadgets.properties and add these lines:\n" + - OAUTH_SIGNING_KEY_FILE + "=<path-to-oauthkey.pem>\n" + - OAUTH_SIGNING_KEY_NAME + "=mykey\n"); + SIGNING_KEY_FILE + "=<path-to-oauthkey.pem>\n"); } } @@ -146,24 +138,4 @@ return store; } } - - public static class ExoOAuthRequestProvider extends OAuthRequestProvider - { - private final HttpFetcher fetcher; - - private final OAuthFetcherConfig config; - - @Inject - public ExoOAuthRequestProvider(HttpFetcher fetcher, OAuthFetcherConfig config) - { - super(fetcher, config); - this.fetcher = fetcher; - this.config = config; - } - - public OAuthRequest get() - { - return new OAuthRequest(config, fetcher); - } - } }

13 years

1
0
0 / 0

gatein SVN: r7403 - epp/portal/branches/EPP_5_2_Branch/web/portal/src/main/webapp/WEB-INF/conf/portal/portal/classic.

by do-not-reply＠jboss.org

Author: theute Date: 2011-09-14 04:03:19 -0400 (Wed, 14 Sep 2011) New Revision: 7403 Modified: epp/portal/branches/EPP_5_2_Branch/web/portal/src/main/webapp/WEB-INF/conf/portal/portal/classic/portal.xml Log: JBEPP-1168: Have window surroundings by default like in EPP 5.1 Modified: epp/portal/branches/EPP_5_2_Branch/web/portal/src/main/webapp/WEB-INF/conf/portal/portal/classic/portal.xml =================================================================== --- epp/portal/branches/EPP_5_2_Branch/web/portal/src/main/webapp/WEB-INF/conf/portal/portal/classic/portal.xml 2011-09-14 08:00:31 UTC (rev 7402) +++ epp/portal/branches/EPP_5_2_Branch/web/portal/src/main/webapp/WEB-INF/conf/portal/portal/classic/portal.xml 2011-09-14 08:03:19 UTC (rev 7403) @@ -30,7 +30,7 @@ <edit-permission>*:/platform/administrators</edit-permission> <properties> <entry key="sessionAlive">onDemand</entry> - <entry key="showPortletInfo">0</entry> + <entry key="showPortletInfo">1</entry> </properties> <portal-layout>

13 years

1
0
0 / 0

gatein SVN: r7402 - in portal/branches/xss: web/portal/src/main/webapp/groovy/portal/webui/page and 1 other directory.

by do-not-reply＠jboss.org

Author: ndkhoiits Date: 2011-09-14 04:00:31 -0400 (Wed, 14 Sep 2011) New Revision: 7402 Modified: portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/navigation/webui/TreeNode.java portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/page/UIWizardPageSetInfo.gtmpl Log: GTNPORTAL-2069 XSS vulnerability in Node label input Modified: portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/navigation/webui/TreeNode.java =================================================================== --- portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/navigation/webui/TreeNode.java 2011-09-14 07:11:15 UTC (rev 7401) +++ portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/navigation/webui/TreeNode.java 2011-09-14 08:00:31 UTC (rev 7402) @@ -7,6 +7,7 @@ import org.exoplatform.portal.mop.user.UserNavigation; import org.exoplatform.portal.mop.user.UserNode; import org.exoplatform.portal.webui.util.Util; +import org.gatein.common.text.EntityEncoder; import java.util.HashMap; import java.util.LinkedList; @@ -224,7 +225,7 @@ return node.getName(); } - return label; + return EntityEncoder.FULL.encode(label); } } } Modified: portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/page/UIWizardPageSetInfo.gtmpl =================================================================== --- portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/page/UIWizardPageSetInfo.gtmpl 2011-09-14 07:11:15 UTC (rev 7401) +++ portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/page/UIWizardPageSetInfo.gtmpl 2011-09-14 08:00:31 UTC (rev 7402) @@ -1,6 +1,7 @@ <% import org.exoplatform.portal.webui.navigation.UIPageNodeSelector; import org.exoplatform.webui.core.UIComponent; + import org.gatein.common.text.EntityEncoder; String nodeName = "/"; boolean isNoSelecter = !uicomponent.getChild(UIPageNodeSelector.class).isRendered(); @@ -10,7 +11,7 @@ <div class="<%=isNoSelecter ? "NoPageSelecter" : ""%>"> <%if(!isNoSelecter) { def pageNode = uicomponent.getSelectedPageNode(); - if( pageNode!=null && pageNode.getResolvedLabel() != null ) nodeName += pageNode.getResolvedLabel(); + if( pageNode != null && pageNode.getResolvedLabel() != null ) nodeName += pageNode.getResolvedLabel(); %> <div class="PageNodeContainer"> <% uicomponent.renderChild(UIPageNodeSelector.class); %> @@ -22,11 +23,12 @@ <div class="OverflowContainer"> <div class="Icon"><span></span></div> <div class="Label"><%=_ctx.appRes(uicomponent.getId() + ".label.curentSelectedNodeInfo")%>:</div> - <% if(nodeName.length() > 40) { %> - <div class="Info"><%= nodeName.substring(0,39) %>...</div> - <% } else { %> - <div class="Info"><%= nodeName%></div> - <% } %> + <% if(nodeName.length() > 40) { + nodeName = nodeName.substring(0,39) + "..."; + } + nodeName = EntityEncoder.FULL.encode(nodeName); + %> + <div class="Info">$nodeName</div> </div> </div>

13 years

1
0
0 / 0

gatein SVN: r7401 - in portal/trunk/component/application-registry/src/main/java/org/exoplatform/application/gadget: impl and 1 other directory.

by do-not-reply＠jboss.org

Author: kien_nguyen Date: 2011-09-14 03:11:15 -0400 (Wed, 14 Sep 2011) New Revision: 7401 Modified: portal/trunk/component/application-registry/src/main/java/org/exoplatform/application/gadget/GadgetImporter.java portal/trunk/component/application-registry/src/main/java/org/exoplatform/application/gadget/impl/GadgetRegistryServiceImpl.java Log: GTNPORTAL-2077 javax.jcr.nodetype.ConstraintViolationException when a remote gadget file cannot be processed Modified: portal/trunk/component/application-registry/src/main/java/org/exoplatform/application/gadget/GadgetImporter.java =================================================================== --- portal/trunk/component/application-registry/src/main/java/org/exoplatform/application/gadget/GadgetImporter.java 2011-09-14 07:00:17 UTC (rev 7400) +++ portal/trunk/component/application-registry/src/main/java/org/exoplatform/application/gadget/GadgetImporter.java 2011-09-14 07:11:15 UTC (rev 7401) @@ -90,7 +90,7 @@ if (bytes == null) { log.error("Cannot import gadget " + gadgetURI + " because its data could not be found"); - return; + throw new IOException(); } // Modified: portal/trunk/component/application-registry/src/main/java/org/exoplatform/application/gadget/impl/GadgetRegistryServiceImpl.java =================================================================== --- portal/trunk/component/application-registry/src/main/java/org/exoplatform/application/gadget/impl/GadgetRegistryServiceImpl.java 2011-09-14 07:00:17 UTC (rev 7400) +++ portal/trunk/component/application-registry/src/main/java/org/exoplatform/application/gadget/impl/GadgetRegistryServiceImpl.java 2011-09-14 07:11:15 UTC (rev 7401) @@ -343,25 +343,28 @@ public Boolean call() throws Exception { chromatticLifeCycle.openContext(); + boolean done = true; try - { - boolean done = false; + { if (getRegistry().getGadget(importer.getGadgetName()) == null) { GadgetDefinition def = getRegistry().addGadget(importer.getGadgetName()); importer.doImport(def); - done = true; } else { log.debug("Will not import existing gagdet " + importer.getGadgetName()); } - return done; } + catch (Exception e) + { + done = false; + } finally { - chromatticLifeCycle.closeContext(true); + chromatticLifeCycle.closeContext(done); } + return done; } } }

13 years

1
0
0 / 0

gatein SVN: r7400 - in portal/branches/xss: webui/core/src/main/java/org/exoplatform/webui/form and 1 other directory.

by do-not-reply＠jboss.org

Author: ndkhoiits Date: 2011-09-14 03:00:17 -0400 (Wed, 14 Sep 2011) New Revision: 7400 Modified: portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIGadgetEditor.java portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputBase.java portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormStringInput.java portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTextAreaInput.java Log: GTNPORTAL-2073 XSS encoding in UIFormTextAreaInput.java Modified: portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java =================================================================== --- portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java 2011-09-14 06:10:00 UTC (rev 7399) +++ portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java 2011-09-14 07:00:17 UTC (rev 7400) @@ -38,7 +38,6 @@ import org.exoplatform.webui.form.validator.EscapeHTMLValidator; import org.exoplatform.webui.form.validator.MandatoryValidator; import org.exoplatform.webui.form.validator.NameValidator; -import org.exoplatform.webui.form.validator.SpecialCharacterValidator; import org.exoplatform.webui.form.validator.StringLengthValidator; import java.util.Calendar; Modified: portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIGadgetEditor.java =================================================================== --- portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIGadgetEditor.java 2011-09-14 06:10:00 UTC (rev 7399) +++ portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIGadgetEditor.java 2011-09-14 07:00:17 UTC (rev 7400) @@ -19,15 +19,14 @@ package org.exoplatform.applicationregistry.webui.component; -import org.apache.commons.lang.StringEscapeUtils; import org.apache.shindig.common.uri.Uri; import org.apache.shindig.gadgets.spec.GadgetSpec; import org.exoplatform.application.gadget.Gadget; import org.exoplatform.application.gadget.GadgetRegistryService; import org.exoplatform.application.gadget.Source; import org.exoplatform.application.gadget.SourceStorage; -import org.exoplatform.portal.webui.application.GadgetUtil; import org.exoplatform.commons.serialization.api.annotations.Serialized; +import org.exoplatform.portal.webui.application.GadgetUtil; import org.exoplatform.web.application.ApplicationMessage; import org.exoplatform.webui.application.WebuiRequestContext; import org.exoplatform.webui.config.InitParams; @@ -50,6 +49,7 @@ import org.exoplatform.webui.form.validator.ResourceValidator; import org.exoplatform.webui.form.validator.StringLengthValidator; import org.exoplatform.webui.form.validator.Validator; + import java.io.Serializable; import java.util.Calendar; @@ -120,8 +120,7 @@ { UIFormTextAreaInput uiInputSource = getUIFormTextAreaInput(FIELD_SOURCE); UIFormStringInput uiInputName = getUIStringInput(FIELD_NAME); - String encoded = StringEscapeUtils.escapeHtml(StringEscapeUtils.unescapeHtml(uiInputSource.getValue())); - uiInputSource.setValue(encoded); + uiInputSource.setValue(uiInputSource.getValue()); if(this.isEdit()) { uiInputName.setEditable(false); } @@ -135,12 +134,6 @@ return (idx > 0) ? fullName.substring(0, idx) : fullName; } - private String appendTail(String name) - { - int idx = name.indexOf('.'); - return (idx > 0) ? name : name + ".xml"; - } - public void setDirPath(String dirPath) { this.dirPath = dirPath; Modified: portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputBase.java =================================================================== --- portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputBase.java 2011-09-14 06:10:00 UTC (rev 7399) +++ portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormInputBase.java 2011-09-14 07:00:17 UTC (rev 7400) @@ -19,8 +19,8 @@ package org.exoplatform.webui.form; +import org.exoplatform.commons.serialization.api.annotations.Serialized; import org.exoplatform.webui.application.WebuiRequestContext; -import org.exoplatform.commons.serialization.api.annotations.Serialized; import org.exoplatform.webui.core.UIComponent; import org.exoplatform.webui.core.UIContainer; import org.exoplatform.webui.event.Event; @@ -90,6 +90,11 @@ * Whether this field is in read only mode */ protected boolean readonly_ = false; + + /** + * Encode the value before rendering or not. The value will be encoded by default. + */ + protected boolean escapeHTML_ = true; public UIFormInputBase(String name, String bindingField, Class<T> typeValue) { @@ -238,4 +243,14 @@ this.label = label; } + public boolean isEscapeHTML() + { + return escapeHTML_; + } + + public void setEscapeHTML(boolean escapeHTML_) + { + this.escapeHTML_ = escapeHTML_; + } + } \ No newline at end of file Modified: portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormStringInput.java =================================================================== --- portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormStringInput.java 2011-09-14 06:10:00 UTC (rev 7399) +++ portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormStringInput.java 2011-09-14 07:00:17 UTC (rev 7400) @@ -21,6 +21,7 @@ import org.exoplatform.webui.application.WebuiRequestContext; import org.exoplatform.commons.serialization.api.annotations.Serialized; +import org.gatein.common.text.EntityEncoder; import java.io.Writer; @@ -88,7 +89,6 @@ return maxLength; } - @SuppressWarnings("unused") public void decode(Object input, WebuiRequestContext context) throws Exception { String val = (String)input; @@ -101,6 +101,7 @@ public void processRender(WebuiRequestContext context) throws Exception { + String value = getValue(); Writer w = context.getWriter(); w.write("<input name='"); w.write(getName()); @@ -112,10 +113,14 @@ w.write(" id='"); w.write(getId()); w.write('\''); - if (value_ != null && value_.length() > 0) + if (value != null && value.length() > 0) { + if (escapeHTML_) + { + value = EntityEncoder.FULL.encode(value); + } w.write(" value='"); - w.write(encodeValue(value_).toString()); + w.write(value); w.write('\''); } if (maxLength > 0) @@ -128,34 +133,4 @@ if (this.isMandatory()) w.write(" *"); } - - private StringBuilder encodeValue(String value) - { - char[] chars = {'\'', '"'}; - String[] refs = {"'", """}; - StringBuilder builder = new StringBuilder(value); - int idx; - for (int i = 0; i < chars.length; i++) - { - idx = indexOf(builder, chars[i], 0); - while (idx > -1) - { - builder = builder.replace(idx, idx + 1, refs[i]); - idx = indexOf(builder, chars[i], idx); - } - } - return builder; - } - - private int indexOf(StringBuilder builder, char c, int from) - { - int i = from; - while (i < builder.length()) - { - if (builder.charAt(i) == c) - return i; - i++; - } - return -1; - } } \ No newline at end of file Modified: portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTextAreaInput.java =================================================================== --- portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTextAreaInput.java 2011-09-14 06:10:00 UTC (rev 7399) +++ portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/UIFormTextAreaInput.java 2011-09-14 07:00:17 UTC (rev 7400) @@ -21,6 +21,7 @@ import org.exoplatform.webui.application.WebuiRequestContext; import org.exoplatform.commons.serialization.api.annotations.Serialized; +import org.gatein.common.text.EntityEncoder; import java.io.Writer; @@ -50,7 +51,6 @@ this.value_ = value ; } - @SuppressWarnings("unused") public void decode(Object input, WebuiRequestContext context) throws Exception { String val = (String) input ; value_ = val ; @@ -72,9 +72,13 @@ w.append(" cols=\"").append(String.valueOf(columns)).append("\""); w.write(">"); if (value != null) - //TODO: remove from other components and than encode here - //w.write(org.gatein.common.text.EntityEncoder.FULL.encode(value)); - w.write(value); + { + if (escapeHTML_) + { + value = EntityEncoder.FULL.encode(value); + } + } + w.write(value); w.write("</textarea>"); if (this.isMandatory()) w.write(" *");

13 years

1
0
0 / 0

gatein SVN: r7399 - in portal/branches/xss/webui: eXo/src/main/java/org/exoplatform/webui/organization and 1 other directories.

by do-not-reply＠jboss.org

Author: ndkhoiits Date: 2011-09-14 02:10:00 -0400 (Wed, 14 Sep 2011) New Revision: 7399 Modified: portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/core/UITree.java portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupMembershipSelector.java portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupSelector.java portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/account/UIGroupSelector.java Log: GTNPORTAL-2090 XSS issue in application select permission editor Modified: portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/core/UITree.java =================================================================== --- portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/core/UITree.java 2011-09-14 04:48:39 UTC (rev 7398) +++ portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/core/UITree.java 2011-09-14 06:10:00 UTC (rev 7399) @@ -27,6 +27,7 @@ import org.exoplatform.webui.event.Event; import org.exoplatform.webui.event.EventListener; import org.exoplatform.webui.form.UIForm; +import org.gatein.common.text.EntityEncoder; import java.lang.reflect.Method; import java.util.Collection; @@ -117,6 +118,11 @@ * A right click popup menu */ private UIRightClickPopupMenu uiPopupMenu_; + + /** + * Encode the value before rendering or not + */ + private boolean escapeHTML_ = false; public Object getFieldValue(Object bean, String field) throws Exception { @@ -260,6 +266,16 @@ uiPopupMenu_.setParent(this); } + public void setEscapeHTML(boolean escape) + { + escapeHTML_ = escape; + } + + public boolean getEscapeHTML() + { + return escapeHTML_; + } + public String event(String name, String beanId) throws Exception { UIForm uiForm = getAncestorOfType(UIForm.class); @@ -305,6 +321,12 @@ { fieldValue = fieldValue.substring(0, getMaxTitleCharacter() - 3) + "..."; } + + if (escapeHTML_) + { + fieldValue = fieldValue != null ? EntityEncoder.FULL.encode(fieldValue) : fieldValue; + } + if (nodeIcon.equals(expandIcon)) { builder.append(" <div class=\"").append(nodeIcon).append("\" onclick=\"").append(actionLink).append("\">"); Modified: portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupMembershipSelector.java =================================================================== --- portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupMembershipSelector.java 2011-09-14 04:48:39 UTC (rev 7398) +++ portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupMembershipSelector.java 2011-09-14 06:10:00 UTC (rev 7399) @@ -68,6 +68,7 @@ tree.setSelectedIcon("PortalIcon"); tree.setBeanIdField("id"); tree.setBeanLabelField("label"); + tree.setEscapeHTML(true); uiBreadcumbs.setBreadcumbsStyle("UIExplorerHistoryPath"); } Modified: portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupSelector.java =================================================================== --- portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupSelector.java 2011-09-14 04:48:39 UTC (rev 7398) +++ portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/UIGroupSelector.java 2011-09-14 06:10:00 UTC (rev 7399) @@ -71,6 +71,7 @@ tree.setBeanIdField("id"); //tree.setBeanLabelField("groupName"); tree.setBeanLabelField("label"); + tree.setEscapeHTML(true); uiBreadcumbs.setBreadcumbsStyle("UIExplorerHistoryPath"); } Modified: portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/account/UIGroupSelector.java =================================================================== --- portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/account/UIGroupSelector.java 2011-09-14 04:48:39 UTC (rev 7398) +++ portal/branches/xss/webui/eXo/src/main/java/org/exoplatform/webui/organization/account/UIGroupSelector.java 2011-09-14 06:10:00 UTC (rev 7399) @@ -75,6 +75,7 @@ tree.setBeanIdField("id"); //tree.setBeanLabelField("groupName"); tree.setBeanLabelField("label"); + tree.setEscapeHTML(true); uiBreadcumbs.setBreadcumbsStyle("UIExplorerHistoryPath"); }

13 years

1
0
0 / 0

gatein SVN: r7398 - in portal/branches/xss: portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component and 5 other directories.

by do-not-reply＠jboss.org

Author: ndkhoiits Date: 2011-09-14 00:48:39 -0400 (Wed, 14 Sep 2011) New Revision: 7398 Added: portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/validator/EscapeHTMLValidator.java Modified: portal/branches/xss/ portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategoryForm.java portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_vi.properties portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIPortlet.gtmpl portal/branches/xss/webui/dashboard/src/main/resources/groovy/dashboard/webui/component/UIDashboardSelectContainer.gtmpl portal/branches/xss/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java Log: GTNPORTAL-2065 XSS vulnerability at portlet description Property changes on: portal/branches/xss ___________________________________________________________________ Modified: svn:mergeinfo - /epp/portal/branches/EPP_5_1_Branch:6841 /portal/branches/branch-GTNPORTAL-1790:5864-5919 /portal/branches/branch-GTNPORTAL-1822:5938-5991 /portal/branches/branch-GTNPORTAL-1832:5993-6105 /portal/branches/branch-GTNPORTAL-1872:6327-6594 /portal/branches/branch-GTNPORTAL-1921:6597-6803 /portal/branches/branch-GTNPORTAL-1963:6902-6986 /portal/branches/decoupled-webos:6214-6243 /portal/branches/dom:7272-7349 /portal/branches/gatein-management:6920-6958 /portal/branches/global-portlet-metadata:6298-6384 /portal/branches/site-describability:6171-6235 /portal/branches/wsrp-extraction:5828-6031 /portal/branches/xss-issues:7350-7351 + /epp/portal/branches/EPP_5_1_Branch:6841 /portal/branches/branch-GTNPORTAL-1790:5864-5919 /portal/branches/branch-GTNPORTAL-1822:5938-5991 /portal/branches/branch-GTNPORTAL-1832:5993-6105 /portal/branches/branch-GTNPORTAL-1872:6327-6594 /portal/branches/branch-GTNPORTAL-1921:6597-6803 /portal/branches/branch-GTNPORTAL-1963:6902-6986 /portal/branches/decoupled-webos:6214-6243 /portal/branches/dom:7272-7349 /portal/branches/gatein-management:6920-6958 /portal/branches/global-portlet-metadata:6298-6384 /portal/branches/site-describability:6171-6235 /portal/branches/wsrp-extraction:5828-6031 /portal/branches/xss-issues:7350-7351,7358 Modified: portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java =================================================================== --- portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UIApplicationForm.java 2011-09-14 04:48:39 UTC (rev 7398) @@ -22,24 +22,23 @@ import org.exoplatform.application.registry.Application; import org.exoplatform.application.registry.ApplicationCategory; import org.exoplatform.application.registry.ApplicationRegistryService; -import org.exoplatform.portal.application.PortalRequestContext; -import org.exoplatform.portal.webui.portal.UIPortal; +import org.exoplatform.commons.serialization.api.annotations.Serialized; import org.exoplatform.web.application.ApplicationMessage; import org.exoplatform.webui.application.WebuiRequestContext; -import org.exoplatform.commons.serialization.api.annotations.Serialized; import org.exoplatform.webui.config.annotation.ComponentConfig; import org.exoplatform.webui.config.annotation.EventConfig; import org.exoplatform.webui.core.UIApplication; import org.exoplatform.webui.core.lifecycle.UIFormLifecycle; import org.exoplatform.webui.event.Event; +import org.exoplatform.webui.event.Event.Phase; import org.exoplatform.webui.event.EventListener; -import org.exoplatform.webui.event.MonitorEvent; -import org.exoplatform.webui.event.Event.Phase; import org.exoplatform.webui.form.UIForm; import org.exoplatform.webui.form.UIFormStringInput; import org.exoplatform.webui.form.UIFormTextAreaInput; +import org.exoplatform.webui.form.validator.EscapeHTMLValidator; import org.exoplatform.webui.form.validator.MandatoryValidator; import org.exoplatform.webui.form.validator.NameValidator; +import org.exoplatform.webui.form.validator.SpecialCharacterValidator; import org.exoplatform.webui.form.validator.StringLengthValidator; import java.util.Calendar; @@ -56,7 +55,7 @@ @Serialized public class UIApplicationForm extends UIForm { - + private Application application_; public UIApplicationForm() throws Exception @@ -64,9 +63,10 @@ addUIFormInput(new UIFormStringInput("applicationName", "applicationName", null).addValidator( MandatoryValidator.class).addValidator(StringLengthValidator.class, 3, 30).addValidator(NameValidator.class)); addUIFormInput(new UIFormStringInput("displayName", "displayName", null).addValidator( - StringLengthValidator.class, 3, 30)); - addUIFormInput(new UIFormTextAreaInput("description", "description", null).addValidator( - StringLengthValidator.class, 0, 255)); + StringLengthValidator.class, 3, 30).addValidator(EscapeHTMLValidator.class)); + addUIFormInput(new UIFormTextAreaInput("description", "description", null) + .addValidator(StringLengthValidator.class, 0, 255) + .addValidator(EscapeHTMLValidator.class)); } public void setValues(Application app) throws Exception Modified: portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategoryForm.java =================================================================== --- portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategoryForm.java 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/portlet/exoadmin/src/main/java/org/exoplatform/applicationregistry/webui/component/UICategoryForm.java 2011-09-14 04:48:39 UTC (rev 7398) @@ -22,9 +22,9 @@ import org.exoplatform.application.registry.Application; import org.exoplatform.application.registry.ApplicationCategory; import org.exoplatform.application.registry.ApplicationRegistryService; +import org.exoplatform.commons.serialization.api.annotations.Serialized; import org.exoplatform.web.application.ApplicationMessage; import org.exoplatform.webui.application.WebuiRequestContext; -import org.exoplatform.commons.serialization.api.annotations.Serialized; import org.exoplatform.webui.config.annotation.ComponentConfig; import org.exoplatform.webui.config.annotation.EventConfig; import org.exoplatform.webui.core.UIApplication; @@ -36,6 +36,7 @@ import org.exoplatform.webui.form.UIFormStringInput; import org.exoplatform.webui.form.UIFormTabPane; import org.exoplatform.webui.form.UIFormTextAreaInput; +import org.exoplatform.webui.form.validator.EscapeHTMLValidator; import org.exoplatform.webui.form.validator.IdentifierValidator; import org.exoplatform.webui.form.validator.MandatoryValidator; import org.exoplatform.webui.form.validator.StringLengthValidator; @@ -74,7 +75,7 @@ MandatoryValidator.class).addValidator(StringLengthValidator.class, 3, 30).addValidator( IdentifierValidator.class)); uiCategorySetting.addUIFormInput(new UIFormStringInput(FIELD_DISPLAY_NAME, FIELD_DISPLAY_NAME, null) - .addValidator(StringLengthValidator.class, 3, 30)); + .addValidator(StringLengthValidator.class, 3, 30).addValidator(EscapeHTMLValidator.class)); uiCategorySetting.addUIFormInput(new UIFormTextAreaInput(FIELD_DESCRIPTION, FIELD_DESCRIPTION, null) .addValidator(StringLengthValidator.class, 0, 255)); addChild(uiCategorySetting); Modified: portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties =================================================================== --- portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_en.properties 2011-09-14 04:48:39 UTC (rev 7398) @@ -111,6 +111,12 @@ URLValidator.msg.invalid-url=The "{0}" field does not contain a valid URL. ############################################################################# + # Escape HTML character Validator # + ############################################################################# + +EscapeHTMLValidator.msg.value-invalid=The "{0}" field is invalid, it should not contain < or >. + + ############################################################################# # Label for UIFormMultiValueInputSet # ############################################################################# Modified: portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_vi.properties =================================================================== --- portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_vi.properties 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/web/portal/src/main/webapp/WEB-INF/classes/locale/portal/webui_vi.properties 2011-09-14 04:48:39 UTC (rev 7398) @@ -85,6 +85,12 @@ URLValidator.msg.invalid-url=Giá trị trường "{0}" không hợp lệ! ############################################################################# + # Escape HTML character Validator # + ############################################################################# + +EscapeHTMLValidator.msg.value-invalid=Giá trị trường "{0}" không hợp lệ, không cho phép dấu < hoặc >. + + ############################################################################# # Label for UIFormMultiValueInputSet # ############################################################################# Modified: portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl =================================================================== --- portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIApplicationList.gtmpl 2011-09-14 04:48:39 UTC (rev 7398) @@ -3,6 +3,7 @@ def categories = uicomponent.getCategories(); def selectedCategory = uicomponent.getSelectedCategory(); +EntityEncoder encoder = EntityEncoder.FULL; %> <div class="UIOrganizerManagement" id="$uicomponent.id"> <div class="AppRegistryContainer"> @@ -15,15 +16,14 @@ <% String cTab, cName, description, displayName; boolean isSelected = false; - for(category in categories) { - cName = category.getName(); - EntityEncoder encoder = EntityEncoder.FULL; + for(category in categories) { + cName = category.getName(); displayName = encoder.encode(category.getDisplayName()); - if(displayName == null || displayName.length() < 1 ) displayName = cName; - if(selectedCategory != null && cName == selectedCategory.getName()) { + if (displayName == null || displayName.length() < 1 ) displayName = cName; + if (selectedCategory != null && cName == selectedCategory.getName()) { isSelected = true; cTab = "SelectedTab"; - }else { + } else { isSelected = false; cTab = "NormalTab"; } @@ -34,11 +34,12 @@ <%= displayName %> </a> </div> - <% if(isSelected) { %> + <% if (isSelected) { %> <div class="UIVTabContent" style="display: block"> <% - for(application in uicomponent.getApplications()) { - String applicationLabel = application.getDisplayName(); + for (application in uicomponent.getApplications()) { + String applicationName = encoder.encode(application.getDisplayName()); + String applicationDescription = encoder.encode(application.getDescription()); String srcBG = application.getIconURL(); String srcBGError = "/eXoResources/skin/sharedImages/Icon80x80/DefaultPortlet.png"; %> @@ -46,9 +47,9 @@ <div class="VTabContentBG"> <div class="OverflowContainer"> <img src="<%=(srcBG!=null && srcBG.length()>0)?srcBG:srcBGError%>" onError="src='$srcBGError'" alt=""/> - <div class="ContentInfo" title="<%= application.getDisplayName() %>" style="cursor:move;"> - <div class="LabelTab">$applicationLabel</div> - <div class="LableText"><%= application.getDescription() %></div> + <div class="ContentInfo" title="$applicationName" style="cursor:move;"> + <div class="LabelTab">$applicationName</div> + <div class="LableText">$applicationDescription</div> </div> <div class="ClearLeft"><span></span></div> </div> Modified: portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIPortlet.gtmpl =================================================================== --- portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIPortlet.gtmpl 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/web/portal/src/main/webapp/groovy/portal/webui/application/UIPortlet.gtmpl 2011-09-14 04:48:39 UTC (rev 7398) @@ -1,8 +1,9 @@ <% - import org.exoplatform.portal.webui.page.UIPage; + import org.exoplatform.portal.webui.workspace.UIPortalApplication; + import org.exoplatform.web.application.JavascriptManager; + import org.gatein.common.text.EntityEncoder; + import javax.portlet.WindowState; - import org.exoplatform.web.application.JavascriptManager; - import org.exoplatform.portal.webui.workspace.UIPortalApplication; def rcontext = _ctx.getRequestContext(); @@ -20,6 +21,9 @@ WindowState windowState = uicomponent.getCurrentWindowState(); String portletId = uicomponent.getId(); + EntityEncoder encoder = EntityEncoder.FULL; + + String title = encoder.encode(uicomponent.getDisplayTitle()); if(uiPortalApp.isEditing()) { %> <div class="UIPortlet <%=hasPermission?"":"ProtectedPortlet"%>" id="UIPortlet-$portletId" onmouseover="eXo.portal.UIPortal.blockOnMouseOver(event, this, true);" onmouseout="eXo.portal.UIPortal.blockOnMouseOver(event, this, false);" @@ -35,7 +39,7 @@ <div class="CPortletLayoutDecorator"> <% if(hasPermission) { - print uicomponent.getDisplayTitle(); + print title; } else print "<div class='ProtectedContent'>"+_ctx.appRes("UIPortlet.label.protectedContent")+"</div>"; %> </div> @@ -52,7 +56,6 @@ if(portalMode != uiPortalApp.CONTAINER_BLOCK_EDIT_MODE && portalMode != uiPortalApp.APP_BLOCK_EDIT_MODE) { if(uicomponent.getShowInfoBar()) { - String title = uicomponent.getDisplayTitle(); if(title == null || title.trim().length() < 1) title = portletId; /*Begin Window Portlet Bar*/ @@ -228,7 +231,6 @@ String portletIcon = uicomponent.getIcon(); if(portletIcon == null) portletIcon = "PortletIcon"; - String title = uicomponent.getDisplayTitle(); if(title.length() > 30) title = title.substring(0,27) + "..."; %> <div class="PortletIcon $portletIcon"><%=hasPermission ? title : _ctx.appRes("UIPortlet.label.protectedContent")%></div> Added: portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/validator/EscapeHTMLValidator.java =================================================================== --- portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/validator/EscapeHTMLValidator.java (rev 0) +++ portal/branches/xss/webui/core/src/main/java/org/exoplatform/webui/form/validator/EscapeHTMLValidator.java 2011-09-14 04:48:39 UTC (rev 7398) @@ -0,0 +1,72 @@ +/** + * Copyright (C) 2011 eXo Platform SAS. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.exoplatform.webui.form.validator; + +import org.exoplatform.web.application.ApplicationMessage; +import org.exoplatform.webui.core.UIComponent; +import org.exoplatform.webui.exception.MessageException; +import org.exoplatform.webui.form.UIForm; +import org.exoplatform.webui.form.UIFormInput; + +/** + * @author <a href="mailto:ndkhoi168@gmail.com">Nguyen Duc Khoi</a> + * Sep 14, 2011 + */ +public class EscapeHTMLValidator implements Validator +{ + private static final String REGEX = "[^\\<\\>]*"; + + private String key_; + + public EscapeHTMLValidator() + { + key_ = "EscapeHTMLValidator.msg.value-invalid"; + } + + public EscapeHTMLValidator(final String key) + { + if (key == null) + throw new IllegalArgumentException("Message key has to not null value"); + key_ = key; + } + + @Override + public void validate(UIFormInput uiInput) throws Exception + { + if ((uiInput.getValue() == null) || (uiInput.getValue().toString().trim().length() == 0)) + return; + String s = uiInput.getValue().toString().trim(); + if (s.matches(REGEX)) + return; + + UIForm uiForm = ((UIComponent)uiInput).getAncestorOfType(UIForm.class); + String label; + try + { + label = uiForm.getId() + ".label." + uiInput.getName(); + } + catch (Exception e) + { + label = uiInput.getName(); + } + Object[] args = {label}; + throw new MessageException(new ApplicationMessage(key_, args, ApplicationMessage.WARNING)); + } + +} Modified: portal/branches/xss/webui/dashboard/src/main/resources/groovy/dashboard/webui/component/UIDashboardSelectContainer.gtmpl =================================================================== --- portal/branches/xss/webui/dashboard/src/main/resources/groovy/dashboard/webui/component/UIDashboardSelectContainer.gtmpl 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/webui/dashboard/src/main/resources/groovy/dashboard/webui/component/UIDashboardSelectContainer.gtmpl 2011-09-14 04:48:39 UTC (rev 7398) @@ -1,11 +1,14 @@ <% + import org.gatein.common.text.EntityEncoder; + def uiDashboard = uicomponent.getAncestorOfType(org.exoplatform.dashboard.webui.component.UIDashboard.class); if(!uiDashboard.canEdit()) return; def uiPopup = uicomponent.getAncestorOfType(org.exoplatform.webui.core.UIPopupWindow.class); def rcontext = _ctx.getRequestContext(); rcontext.getJavascriptManager().addJavascript("eXo.webui.UIDashboard.initPopup('"+uiPopup.getId()+"');"); - + + EntityEncoder encoder = EntityEncoder.FULL; %> <div class="$uicomponent.id" id="UIDashboardSelectContainer" style="display: <%= uiDashboard.isShowSelectPopup()? "block" : "none"; %>;"> <div class="DashboardItemContainer ItemContainer"> @@ -21,13 +24,15 @@ <% List categories = uicomponent.getCategories(); if(categories != null && categories.size() > 0){ for(category in categories){ + String categoryName = category.getDisplayName(); + categoryName = categoryName == null ? "" : encoder.encode(categoryName); %> <div class="GadgetCategory" id="${category.getName()}"> <div class="GadgetTab SelectedTab" onclick="eXo.webui.UIDashboard.onTabClick(this, 'NormalTab', 'SelectedTab')"> <div class="LeftCategoryTitleBar"> <div class="RightCategoryTitleBar"> <div class="MiddleCategoryTitleBar"> - <div class="ArrowIcon" title="${category.getDisplayName()}">${category.getDisplayName()}</div> + <div class="ArrowIcon" title="$categoryName">$categoryName</div> </div> </div> </div> @@ -40,12 +45,13 @@ // uiPopup.setWindowSize(-1, 600); for(gadget in lstGadgets){ + String gadgetName = gadget.getDisplayName(); + gadgetName = gadgetName == null ? "" : encoder.encode(gadgetName); %> <div class="UIGadget SelectItem Item" id="${gadget.getId()}" style="top:0px; left:0px;"> <div class="GadgetControl"> - <% def label = gadget.getDisplayName() %> - <div class="GadgetTitle" style="cursor:move;" title="$label"> - <%= (label.length() <= 23) ? label : label.substring(0, 20)+"..." %> + <div class="GadgetTitle" style="cursor:move;" title="$gadgetName"> + <%= (gadgetName.length() <= 23) ? gadgetName : gadgetName.substring(0, 20)+"..." %> </div> </div> </div> Modified: portal/branches/xss/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java =================================================================== --- portal/branches/xss/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java 2011-09-14 03:03:32 UTC (rev 7397) +++ portal/branches/xss/webui/portal/src/main/java/org/exoplatform/portal/webui/application/UIPortletForm.java 2011-09-14 04:48:39 UTC (rev 7398) @@ -46,6 +46,7 @@ import org.exoplatform.webui.event.Event.Phase; import org.exoplatform.webui.event.EventListener; import org.exoplatform.webui.form.*; +import org.exoplatform.webui.form.validator.EscapeHTMLValidator; import org.exoplatform.webui.form.validator.ExpressionValidator; import org.exoplatform.webui.form.validator.MandatoryValidator; import org.exoplatform.webui.form.validator.StringLengthValidator; @@ -97,7 +98,7 @@ addValidator(MandatoryValidator.class).setEditable(false)). addUIFormInput(new UIFormStringInput("windowId", "windowId", null).setEditable(false)).*/ addUIFormInput(new UIFormInputInfo("displayName", "displayName", null)).addUIFormInput( - new UIFormStringInput("title", "title", null).addValidator(StringLengthValidator.class, 3, 60).addValidator(ExpressionValidator.class, "[^\\<\\>]*", + new UIFormStringInput("title", "title", null).addValidator(StringLengthValidator.class, 3, 60).addValidator(EscapeHTMLValidator.class, "UIPortletForm.msg.InvalidPortletTitle")) .addUIFormInput( new UIFormStringInput("width", "width", null).addValidator(ExpressionValidator.class, "(^([1-9]\\d*)px$)?", @@ -107,8 +108,8 @@ new UIFormCheckBoxInput("showInfoBar", "showInfoBar", false)).addUIFormInput( new UIFormCheckBoxInput("showPortletMode", "showPortletMode", false)).addUIFormInput( new UIFormCheckBoxInput("showWindowState", "showWindowState", false)).addUIFormInput( - new UIFormTextAreaInput("description", "description", null).addValidator(StringLengthValidator.class, 0, - 255).addValidator(ExpressionValidator.class, "[^\\<\\>]*", "UIPortletForm.msg.InvalidPortletDescription")); + new UIFormTextAreaInput("description", "description", null).addValidator(StringLengthValidator.class, + 0, 255).addValidator(EscapeHTMLValidator.class, "UIPortletForm.msg.InvalidPortletDescription")); addUIFormInput(uiSettingSet); UIFormInputIconSelector uiIconSelector = new UIFormInputIconSelector("Icon", "icon"); addUIFormInput(uiIconSelector);

13 years

1
0
0 / 0

gatein SVN: r7397 - in epp/docs/tags/EPP_5_1_1_GA: Site_Publisher/Release_Notes/en-US and 1 other directory.

by do-not-reply＠jboss.org

Author: smumford Date: 2011-09-13 23:03:32 -0400 (Tue, 13 Sep 2011) New Revision: 7397 Modified: epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/5.1.1_Release_Notes.xml epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/Book_Info.xml epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/Revision_History.xml epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/resolved_issues.xml epp/docs/tags/EPP_5_1_1_GA/Site_Publisher/Release_Notes/en-US/Article_Info.xml epp/docs/tags/EPP_5_1_1_GA/Site_Publisher/Release_Notes/en-US/Revision_History.xml Log: Committing final changes for tagging Modified: epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/5.1.1_Release_Notes.xml =================================================================== --- epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/5.1.1_Release_Notes.xml 2011-09-14 02:50:24 UTC (rev 7396) +++ epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/5.1.1_Release_Notes.xml 2011-09-14 03:03:32 UTC (rev 7397) @@ -418,11 +418,10 @@ </listitem> </varlistentry> - <varlistentry> +  - + <para> It was found that JBoss Web Services Native did not properly protect against recursive entity resolution when processing Document Type Definitions (DTD). A remote attacker could exploit this flaw by sending a specially-crafted HTTP POST request to a deployed web service, causing excessive CPU and memory consumption on the system hosting that service. If the attack is repeated to consume all available network sockets, the server will become unavailable. (CVE-2011-1483) </para> @@ -431,7 +430,7 @@ </para> </listitem> - </varlistentry> + </varlistentry> DOCS NOTE: This item has been removed from the Release Notes as a performance issue associated with the fix resulted in the patch being removed from the 5.1.1 release. The patch will most likely be pushed asynchronously after the release. --> </variablelist> </section> <section> Modified: epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/Book_Info.xml =================================================================== --- epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/Book_Info.xml 2011-09-14 02:50:24 UTC (rev 7396) +++ epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/Book_Info.xml 2011-09-14 03:03:32 UTC (rev 7397) @@ -9,7 +9,7 @@ <productname>JBoss Enterprise Portal Platform</productname> <productnumber>5.1</productnumber> <edition>2.1</edition> - <pubsnumber>5.1.8</pubsnumber> + <pubsnumber>5.1.12</pubsnumber> <abstract> <para> These release notes contain important information related to JBoss Enterprise Portal Platform &VX; that may not be currently available in the Product Manuals. You should read these Release Notes in their entirety before installing the product. Modified: epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/Revision_History.xml =================================================================== --- epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/Revision_History.xml 2011-09-14 02:50:24 UTC (rev 7396) +++ epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/Revision_History.xml 2011-09-14 03:03:32 UTC (rev 7397) @@ -8,8 +8,8 @@ <simpara> <revhistory> <revision> - <revnumber>2.1-5.1.8</revnumber> - <date>Fri Aug 12 2011</date> + <revnumber>2.1-5.1.12</revnumber> + <date>Fri Sep 2 2011</date> <author> <firstname>Scott</firstname> <surname>Mumford</surname> Modified: epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/resolved_issues.xml =================================================================== --- epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/resolved_issues.xml 2011-09-14 02:50:24 UTC (rev 7396) +++ epp/docs/tags/EPP_5_1_1_GA/Release_Notes/en-US/resolved_issues.xml 2011-09-14 03:03:32 UTC (rev 7397) @@ -62,13 +62,9 @@ <term><ulink url="https://issues.jboss.org/browse/JBEPP-597" /></term> <listitem> - - <warning> - <title>Not Public Yet - RHT+eXo</title> <para> The name of a dashboard page entered by user was not properly encoded before being returned on the web browser. This allowed javascript snippets to be executed when creating a new page through the Portal Dashboard. The name of the page is now properly HTML encoded before being returned and javascript is no longer invoked when entered into page fields. </para> - </warning> </listitem> </varlistentry> @@ -295,13 +291,10 @@ <term><ulink url="https://issues.jboss.org/browse/JBEPP-854" /></term> <listitem> - - <warning> - <title>Not Public Yet - RHT+eXo</title> + <para> In previous versions of JBoss Enterprise Portal Platform, an error would be encountered when slashes were used in the context path of a portlet. This issue has been corrected in this release. </para> - </warning> </listitem> </varlistentry> @@ -638,22 +631,6 @@ </listitem> </varlistentry> -  - <varlistentry> - <term><ulink url="https://issues.jboss.org/browse/JBEPP-1023" /></term> - <listitem> - - - <para> - A fix that was implemented to resolve an XSS vulnerabily, affected all textarea inputs and caused any gadget source code entered into the <systemitem>App Registry</systemitem> to be escaped with <> characters and rendered invalid to the portal. This prevented new gadgets being added to the portal as well as preventing any changes being made to existing gadgets. - </para> - <para> - The underlying issue was resolved in a fix for another bug and as a result this issue no longer presents. - </para> - - </listitem> - </varlistentry> -  <varlistentry> <term><ulink url="https://issues.jboss.org/browse/JBEPP-1036" /></term> Modified: epp/docs/tags/EPP_5_1_1_GA/Site_Publisher/Release_Notes/en-US/Article_Info.xml =================================================================== --- epp/docs/tags/EPP_5_1_1_GA/Site_Publisher/Release_Notes/en-US/Article_Info.xml 2011-09-14 02:50:24 UTC (rev 7396) +++ epp/docs/tags/EPP_5_1_1_GA/Site_Publisher/Release_Notes/en-US/Article_Info.xml 2011-09-14 03:03:32 UTC (rev 7397) @@ -9,7 +9,7 @@ <productname>JBoss Enterprise Portal Platform</productname> <productnumber>5.1</productnumber> <edition>2</edition> - <pubsnumber>5.1.5</pubsnumber> + <pubsnumber>5.1.7</pubsnumber> <abstract> <para> These release notes contain important information related to JBoss Site Publisher &VZ; that may not be currently available in the Product Manuals. You should read these Release Notes in their entirety before installing the product. Modified: epp/docs/tags/EPP_5_1_1_GA/Site_Publisher/Release_Notes/en-US/Revision_History.xml =================================================================== --- epp/docs/tags/EPP_5_1_1_GA/Site_Publisher/Release_Notes/en-US/Revision_History.xml 2011-09-14 02:50:24 UTC (rev 7396) +++ epp/docs/tags/EPP_5_1_1_GA/Site_Publisher/Release_Notes/en-US/Revision_History.xml 2011-09-14 03:03:32 UTC (rev 7397) @@ -8,7 +8,7 @@ <simpara> <revhistory> <revision> - <revnumber>2-5.1.5</revnumber> + <revnumber>2-5.1.7</revnumber> <date>Thu Aug 11 2011</date> <author> <firstname>Scott</firstname>

13 years

1
0
0 / 0

gatein SVN: r7396 - in epp/docs/branches/5.1: Site_Publisher/Release_Notes/en-US and 1 other directory.

by do-not-reply＠jboss.org

Author: smumford Date: 2011-09-13 22:50:24 -0400 (Tue, 13 Sep 2011) New Revision: 7396 Modified: epp/docs/branches/5.1/Release_Notes/en-US/5.1.1_Release_Notes.xml epp/docs/branches/5.1/Release_Notes/en-US/Book_Info.xml epp/docs/branches/5.1/Release_Notes/en-US/Revision_History.xml epp/docs/branches/5.1/Release_Notes/en-US/resolved_issues.xml epp/docs/branches/5.1/Site_Publisher/Release_Notes/en-US/Article_Info.xml epp/docs/branches/5.1/Site_Publisher/Release_Notes/en-US/Revision_History.xml Log: Committing final changes for tagging Modified: epp/docs/branches/5.1/Release_Notes/en-US/5.1.1_Release_Notes.xml =================================================================== --- epp/docs/branches/5.1/Release_Notes/en-US/5.1.1_Release_Notes.xml 2011-09-14 02:48:58 UTC (rev 7395) +++ epp/docs/branches/5.1/Release_Notes/en-US/5.1.1_Release_Notes.xml 2011-09-14 02:50:24 UTC (rev 7396) @@ -418,11 +418,10 @@ </listitem> </varlistentry> - <varlistentry> +  - + <para> It was found that JBoss Web Services Native did not properly protect against recursive entity resolution when processing Document Type Definitions (DTD). A remote attacker could exploit this flaw by sending a specially-crafted HTTP POST request to a deployed web service, causing excessive CPU and memory consumption on the system hosting that service. If the attack is repeated to consume all available network sockets, the server will become unavailable. (CVE-2011-1483) </para> @@ -431,7 +430,7 @@ </para> </listitem> - </varlistentry> + </varlistentry> DOCS NOTE: This item has been removed from the Release Notes as a performance issue associated with the fix resulted in the patch being removed from the 5.1.1 release. The patch will most likely be pushed asynchronously after the release. --> </variablelist> </section> <section> Modified: epp/docs/branches/5.1/Release_Notes/en-US/Book_Info.xml =================================================================== --- epp/docs/branches/5.1/Release_Notes/en-US/Book_Info.xml 2011-09-14 02:48:58 UTC (rev 7395) +++ epp/docs/branches/5.1/Release_Notes/en-US/Book_Info.xml 2011-09-14 02:50:24 UTC (rev 7396) @@ -9,7 +9,7 @@ <productname>JBoss Enterprise Portal Platform</productname> <productnumber>5.1</productnumber> <edition>2.1</edition> - <pubsnumber>5.1.8</pubsnumber> + <pubsnumber>5.1.12</pubsnumber> <abstract> <para> These release notes contain important information related to JBoss Enterprise Portal Platform &VX; that may not be currently available in the Product Manuals. You should read these Release Notes in their entirety before installing the product. Modified: epp/docs/branches/5.1/Release_Notes/en-US/Revision_History.xml =================================================================== --- epp/docs/branches/5.1/Release_Notes/en-US/Revision_History.xml 2011-09-14 02:48:58 UTC (rev 7395) +++ epp/docs/branches/5.1/Release_Notes/en-US/Revision_History.xml 2011-09-14 02:50:24 UTC (rev 7396) @@ -8,8 +8,8 @@ <simpara> <revhistory> <revision> - <revnumber>2.1-5.1.8</revnumber> - <date>Fri Aug 12 2011</date> + <revnumber>2.1-5.1.12</revnumber> + <date>Fri Sep 2 2011</date> <author> <firstname>Scott</firstname> <surname>Mumford</surname> Modified: epp/docs/branches/5.1/Release_Notes/en-US/resolved_issues.xml =================================================================== --- epp/docs/branches/5.1/Release_Notes/en-US/resolved_issues.xml 2011-09-14 02:48:58 UTC (rev 7395) +++ epp/docs/branches/5.1/Release_Notes/en-US/resolved_issues.xml 2011-09-14 02:50:24 UTC (rev 7396) @@ -62,13 +62,9 @@ <term><ulink url="https://issues.jboss.org/browse/JBEPP-597" /></term> <listitem> - - <warning> - <title>Not Public Yet - RHT+eXo</title> <para> The name of a dashboard page entered by user was not properly encoded before being returned on the web browser. This allowed javascript snippets to be executed when creating a new page through the Portal Dashboard. The name of the page is now properly HTML encoded before being returned and javascript is no longer invoked when entered into page fields. </para> - </warning> </listitem> </varlistentry> @@ -295,13 +291,10 @@ <term><ulink url="https://issues.jboss.org/browse/JBEPP-854" /></term> <listitem> - - <warning> - <title>Not Public Yet - RHT+eXo</title> + <para> In previous versions of JBoss Enterprise Portal Platform, an error would be encountered when slashes were used in the context path of a portlet. This issue has been corrected in this release. </para> - </warning> </listitem> </varlistentry> @@ -638,22 +631,6 @@ </listitem> </varlistentry> -  - <varlistentry> - <term><ulink url="https://issues.jboss.org/browse/JBEPP-1023" /></term> - <listitem> - - - <para> - A fix that was implemented to resolve an XSS vulnerabily, affected all textarea inputs and caused any gadget source code entered into the <systemitem>App Registry</systemitem> to be escaped with <> characters and rendered invalid to the portal. This prevented new gadgets being added to the portal as well as preventing any changes being made to existing gadgets. - </para> - <para> - The underlying issue was resolved in a fix for another bug and as a result this issue no longer presents. - </para> - - </listitem> - </varlistentry> -  <varlistentry> <term><ulink url="https://issues.jboss.org/browse/JBEPP-1036" /></term> Modified: epp/docs/branches/5.1/Site_Publisher/Release_Notes/en-US/Article_Info.xml =================================================================== --- epp/docs/branches/5.1/Site_Publisher/Release_Notes/en-US/Article_Info.xml 2011-09-14 02:48:58 UTC (rev 7395) +++ epp/docs/branches/5.1/Site_Publisher/Release_Notes/en-US/Article_Info.xml 2011-09-14 02:50:24 UTC (rev 7396) @@ -9,7 +9,7 @@ <productname>JBoss Enterprise Portal Platform</productname> <productnumber>5.1</productnumber> <edition>2</edition> - <pubsnumber>5.1.5</pubsnumber> + <pubsnumber>5.1.7</pubsnumber> <abstract> <para> These release notes contain important information related to JBoss Site Publisher &VZ; that may not be currently available in the Product Manuals. You should read these Release Notes in their entirety before installing the product. Modified: epp/docs/branches/5.1/Site_Publisher/Release_Notes/en-US/Revision_History.xml =================================================================== --- epp/docs/branches/5.1/Site_Publisher/Release_Notes/en-US/Revision_History.xml 2011-09-14 02:48:58 UTC (rev 7395) +++ epp/docs/branches/5.1/Site_Publisher/Release_Notes/en-US/Revision_History.xml 2011-09-14 02:50:24 UTC (rev 7396) @@ -8,7 +8,7 @@ <simpara> <revhistory> <revision> - <revnumber>2-5.1.5</revnumber> + <revnumber>2-5.1.7</revnumber> <date>Thu Aug 11 2011</date> <author> <firstname>Scott</firstname>

13 years

1
0
0 / 0

gatein SVN: r7395 - epp/docs/tags.

by do-not-reply＠jboss.org

Author: smumford Date: 2011-09-13 22:48:58 -0400 (Tue, 13 Sep 2011) New Revision: 7395 Added: epp/docs/tags/EPP_5_1_1_GA/ Log: Tagging 5.1 branch to 5.1.1 tag

13 years

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

gatein-commits September 2011