gatein SVN: r5227 - epp/portal/branches/EPP_5_1_Branch/webui/portal/src/main/java/org/exoplatform/portal/application. - gatein-commits

Tuesday, 23 November 2010


Author: thomas.heute(a)jboss.com
Date: 2010-11-23 09:50:20 -0500 (Tue, 23 Nov 2010)
New Revision: 5227

Modified:
  
epp/portal/branches/EPP_5_1_Branch/webui/portal/src/main/java/org/exoplatform/portal/application/PortalRequestContext.java
Log:
JBEPP-643: XSS issues passed in URL


Modified:
epp/portal/branches/EPP_5_1_Branch/webui/portal/src/main/java/org/exoplatform/portal/application/PortalRequestContext.java
===================================================================
---
epp/portal/branches/EPP_5_1_Branch/webui/portal/src/main/java/org/exoplatform/portal/application/PortalRequestContext.java	2010-11-23
14:43:47 UTC (rev 5226)
+++
epp/portal/branches/EPP_5_1_Branch/webui/portal/src/main/java/org/exoplatform/portal/application/PortalRequestContext.java	2010-11-23
14:50:20 UTC (rev 5227)
@@ -159,16 +159,17 @@
          cacheLevel_ = cache;
       }
 
-      requestURI_ = URLDecoder.decode(req.getRequestURI(), "UTF-8");
-      
+      requestURI_ = req.getRequestURI();
+      String decodedURI = URLDecoder.decode(requestURI_, "UTF-8");
+
       // req.getPathInfo will already have the encoding set from the server.
       // We need to use the UTF-8 value since this is how we store the portal name.
       // Reconstructing the getPathInfo from the non server decoded values.
       String servletPath = URLDecoder.decode(req.getServletPath(), "UTF-8");
       String contextPath = URLDecoder.decode(req.getContextPath(), "UTF-8");
       String pathInfo = "/";
-      if (requestURI_.length() > servletPath.length() + contextPath.length())
-         pathInfo = requestURI_.substring(servletPath.length() + contextPath.length());
+      if (decodedURI.length() > servletPath.length() + contextPath.length())
+         pathInfo = decodedURI.substring(servletPath.length() + contextPath.length());
       
       int colonIndex = pathInfo.indexOf("/", 1);
       if (colonIndex < 0)
@@ -178,13 +179,13 @@
       portalOwner_ = pathInfo.substring(1, colonIndex);
       nodePath_ = pathInfo.substring(colonIndex, pathInfo.length());
 
-      portalURI = requestURI_.substring(0, requestURI_.lastIndexOf(nodePath_)) +
"/";
+      portalURI = decodedURI.substring(0, decodedURI.lastIndexOf(nodePath_)) +
"/";
 
-      if (requestURI_.indexOf("/public/") >= 0)
+      if (decodedURI.indexOf("/public/") >= 0)
       {
          accessPath = PUBLIC_ACCESS;
       }
-      else if (requestURI_.indexOf("/private/") >= 0)
+      else if (decodedURI.indexOf("/private/") >= 0)
       {
          accessPath = PRIVATE_ACCESS;
       }


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

gatein SVN: r5227 - epp/portal/branches/EPP_5_1_Branch/webui/portal/src/main/java/org/exoplatform/portal/application.