Author: thomas.heute(a)jboss.com
Date: 2010-03-30 05:18:21 -0400 (Tue, 30 Mar 2010)
New Revision: 2393
Modified:
portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/model/PageNode.java
portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarGroupPortlet.gtmpl
portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarSitePortlet.gtmpl
portal/trunk/portlet/web/src/main/webapp/groovy/portal/webui/component/UIPortalNavigation.gtmpl
portal/trunk/web/portal/src/main/webapp/groovy/webui/core/UIBreadcumbs.gtmpl
portal/trunk/web/portal/src/main/webapp/groovy/webui/core/UISitemapTree.gtmpl
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/navigation/UINavigationNodeSelector.java
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/navigation/UIPageNodeSelector.java
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/navigation/UIPortalNodeSelector.java
Log:
GTNPORTAL-729: Privilege escalation security issue
When someone enters a page display name with potential dangerous characters it needs to be
encoded:
- Encoding in the top menu (Site and group)
- Encoding in the SiteMap
- Encoding in the node selector
- Encoding in the breadcrumb
Modified:
portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/model/PageNode.java
===================================================================
---
portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/model/PageNode.java 2010-03-30
07:44:29 UTC (rev 2392)
+++
portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/model/PageNode.java 2010-03-30
09:18:21 UTC (rev 2393)
@@ -22,6 +22,7 @@
import org.exoplatform.commons.utils.ExpressionUtil;
import org.exoplatform.portal.mop.Visibility;
import org.exoplatform.portal.pom.data.NavigationNodeData;
+import org.gatein.common.text.EntityEncoder;
import java.util.ArrayList;
import java.util.Date;
@@ -42,6 +43,8 @@
private String name;
private String resolvedLabel;
+
+ private String encodedResolvedLabel;
private Date startPublicationDate;
@@ -69,6 +72,7 @@
this.uri = nav.getURI();
this.label = nav.getLabel();
this.resolvedLabel = nav.getLabel();
+ this.encodedResolvedLabel = null;
this.icon = nav.getIcon();
this.name = nav.getName();
this.startPublicationDate = nav.getStartPublicationDate();
@@ -110,6 +114,7 @@
{
label = s;
resolvedLabel = s;
+ encodedResolvedLabel = null;
}
public String getIcon()
@@ -146,10 +151,21 @@
{
return resolvedLabel;
}
+
+ public String getEncodedResolvedLabel()
+ {
+ EntityEncoder encoder = EntityEncoder.FULL;
+ if (encodedResolvedLabel == null)
+ {
+ encodedResolvedLabel = encoder.encode(resolvedLabel);
+ }
+ return encodedResolvedLabel;
+ }
public void setResolvedLabel(String res)
{
resolvedLabel = res;
+ encodedResolvedLabel = null;
}
public void setResolvedLabel(ResourceBundle res)
@@ -157,6 +173,7 @@
resolvedLabel = ExpressionUtil.getExpressionValue(res, label);
if (resolvedLabel == null)
resolvedLabel = getName();
+ encodedResolvedLabel = null;
}
public List<PageNode> getChildren()
Modified:
portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarGroupPortlet.gtmpl
===================================================================
---
portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarGroupPortlet.gtmpl 2010-03-30
07:44:29 UTC (rev 2392)
+++
portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarGroupPortlet.gtmpl 2010-03-30
09:18:21 UTC (rev 2393)
@@ -4,6 +4,7 @@
import org.exoplatform.web.application.JavascriptManager;
import org.exoplatform.portal.webui.util.Util ;
import org.exoplatform.webui.organization.OrganizationUtils;
+ import org.gatein.common.text.EntityEncoder;
def rcontext = _ctx.getRequestContext() ;
JavascriptManager jsmanager = rcontext.getJavascriptManager();
@@ -48,6 +49,8 @@
String title = "";
if(toolong) title = "title='$node.resolvedLabel'";
else title = "";
+ EntityEncoder entityEncoder = EntityEncoder.FULL;
+ label = entityEncoder.encode(label);
print """
<div class="MenuItem $tabStyleNavigation">
<div class="$clazz">
Modified:
portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarSitePortlet.gtmpl
===================================================================
---
portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarSitePortlet.gtmpl 2010-03-30
07:44:29 UTC (rev 2392)
+++
portal/trunk/portlet/exoadmin/src/main/webapp/groovy/admintoolbar/webui/component/UIUserToolBarSitePortlet.gtmpl 2010-03-30
09:18:21 UTC (rev 2393)
@@ -4,6 +4,7 @@
import org.exoplatform.web.application.JavascriptManager;
import org.exoplatform.portal.webui.util.Util ;
import org.exoplatform.webui.organization.OrganizationUtils;
+ import org.gatein.common.text.EntityEncoder;
def rcontext = _ctx.getRequestContext() ;
JavascriptManager jsmanager = rcontext.getJavascriptManager();
@@ -29,9 +30,11 @@
if(isCurrent) clazz = "class='ArrowIcon'";
else clazz = "";
href = uicomponent.getPortalURI(portal);
+ EntityEncoder entityEncoder = EntityEncoder.FULL;
+ portal = entityEncoder.encode(portal);
print """
<div class="MenuItem">
- <div $clazz>
+ <div $clazz>
<a href="$href" class="ItemIcon
SiteIcon">$portal</a>
</div>
""";
@@ -82,6 +85,8 @@
String title = "";
if(toolong) title = "title='$node.resolvedLabel'";
else title = "";
+ EntityEncoder entityEncoder = EntityEncoder.FULL;
+ label = entityEncoder.encode(label);
print """
<div class="MenuItem $tabStyleNavigation">
<div class="$clazz">
Modified:
portal/trunk/portlet/web/src/main/webapp/groovy/portal/webui/component/UIPortalNavigation.gtmpl
===================================================================
---
portal/trunk/portlet/web/src/main/webapp/groovy/portal/webui/component/UIPortalNavigation.gtmpl 2010-03-30
07:44:29 UTC (rev 2392)
+++
portal/trunk/portlet/web/src/main/webapp/groovy/portal/webui/component/UIPortalNavigation.gtmpl 2010-03-30
09:18:21 UTC (rev 2393)
@@ -3,6 +3,7 @@
import org.exoplatform.portal.config.model.PageNavigation;
import org.exoplatform.web.application.JavascriptManager;
import org.exoplatform.portal.webui.util.Util;
+ import org.gatein.common.text.EntityEncoder;
def rcontext = _ctx.getRequestContext();
JavascriptManager jsmanager = rcontext.getJavascriptManager();
@@ -65,7 +66,8 @@
title = label;
label = label.substring(0,37) + "...";
}
-
+ EntityEncoder entityEncoder = EntityEncoder.FULL;
+ label = entityEncoder.encode(label);
String pageURI = Util.getPortalRequestContext().getPortalURI() + node.getUri();
if(node.pageReference != null) {
if(uicomponent.isUseAjax()) {
Modified: portal/trunk/web/portal/src/main/webapp/groovy/webui/core/UIBreadcumbs.gtmpl
===================================================================
---
portal/trunk/web/portal/src/main/webapp/groovy/webui/core/UIBreadcumbs.gtmpl 2010-03-30
07:44:29 UTC (rev 2392)
+++
portal/trunk/web/portal/src/main/webapp/groovy/webui/core/UIBreadcumbs.gtmpl 2010-03-30
09:18:21 UTC (rev 2393)
@@ -2,6 +2,7 @@
import java.util.List;
import org.exoplatform.portal.webui.util.Util;
import org.exoplatform.portal.application.PortalRequestContext;
+ import org.gatein.common.text.EntityEncoder;
List list = uicomponent.getPath();
def styleBread = uicomponent.getBreadcumbsStyle();
@@ -26,9 +27,11 @@
actionLink = uicomponent.event("SelectPath", localPath.getId());
else
actionLink = portalURI + localPath.getId();
+ EntityEncoder entityEncoder = EntityEncoder.FULL;
+ String label = entityEncoder.encode(localPath.label)
if(i == list.size()-1) note = "Selected";
%>
- <a href="<%=(localPath.getId() == null) ? "#" :
actionLink%>" class="$note">$localPath.label</a>
+ <a href="<%=(localPath.getId() == null) ? "#" :
actionLink%>" class="$note">$label</a>
<%
if(i != list.size()-1) {
%>
Modified: portal/trunk/web/portal/src/main/webapp/groovy/webui/core/UISitemapTree.gtmpl
===================================================================
---
portal/trunk/web/portal/src/main/webapp/groovy/webui/core/UISitemapTree.gtmpl 2010-03-30
07:44:29 UTC (rev 2392)
+++
portal/trunk/web/portal/src/main/webapp/groovy/webui/core/UISitemapTree.gtmpl 2010-03-30
09:18:21 UTC (rev 2393)
@@ -29,8 +29,7 @@
node = treeNode.getNode();
nav = treeNode.getNavigation();
- String label = node.resolvedLabel;
- String title = label;
+ String label = node.encodedResolvedLabel;
actionExpand = uicomponent.event("ExpandNode", nav.getId() + "::"
+ node.getUri());
def actionCollapse = "ajaxAsyncGetRequest('" +
uicomponent.url("CollapseNode",nav.getId() + "::" + node.getUri()) +
"', true)";
Modified:
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/navigation/UINavigationNodeSelector.java
===================================================================
---
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/navigation/UINavigationNodeSelector.java 2010-03-30
07:44:29 UTC (rev 2392)
+++
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/navigation/UINavigationNodeSelector.java 2010-03-30
09:18:21 UTC (rev 2393)
@@ -93,7 +93,7 @@
uiTree.setIcon("DefaultPageIcon");
uiTree.setSelectedIcon("DefaultPageIcon");
uiTree.setBeanIdField("uri");
- uiTree.setBeanLabelField("resolvedLabel");
+ uiTree.setBeanLabelField("encodedResolvedLabel");
uiTree.setBeanIconField("icon");
UIRightClickPopupMenu uiPopupMenu =
Modified:
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/navigation/UIPageNodeSelector.java
===================================================================
---
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/navigation/UIPageNodeSelector.java 2010-03-30
07:44:29 UTC (rev 2392)
+++
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/navigation/UIPageNodeSelector.java 2010-03-30
09:18:21 UTC (rev 2393)
@@ -59,7 +59,7 @@
uiTree.setIcon("DefaultPageIcon");
uiTree.setSelectedIcon("DefaultPageIcon");
uiTree.setBeanIdField("uri");
- uiTree.setBeanLabelField("resolvedLabel");
+ uiTree.setBeanLabelField("encodedResolvedLabel");
uiTree.setBeanIconField("icon");
loadNavigations();
Modified:
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/navigation/UIPortalNodeSelector.java
===================================================================
---
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/navigation/UIPortalNodeSelector.java 2010-03-30
07:44:29 UTC (rev 2392)
+++
portal/trunk/webui/portal/src/main/java/org/exoplatform/portal/webui/navigation/UIPortalNodeSelector.java 2010-03-30
09:18:21 UTC (rev 2393)
@@ -83,7 +83,7 @@
uiTree.setIcon("DefaultPageIcon");
uiTree.setSelectedIcon("DefaultPageIcon");
uiTree.setBeanIdField("uri");
- uiTree.setBeanLabelField("resolvedLabel");
+ uiTree.setBeanLabelField("encodedResolvedLabel");
uiTree.setBeanIconField("icon");
UIRightClickPopupMenu uiPopupMenu = createUIComponent(UIRightClickPopupMenu.class,
"PortalNodePopupMenu", null);