Author: thomas.heute(a)jboss.com
Date: 2009-01-31 11:06:23 -0500 (Sat, 31 Jan 2009)
New Revision: 12751
Added:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileBasedJCRCommand.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderBasedJCRCommand.java
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/AsyncStoreArchiveCommand.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/ContentCreateCommand.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/CopyCommand.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileCreateCommand.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateAndVersionCommand.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateCommand.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderCreateCommand.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderUpdateCommand.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/MoveCommand.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/RenameCommand.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/util/NodeUtil.java
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/test/java/org/jboss/portal/cms/test/commands/TestFileArchiveUpload.java
Log:
XSS verifications
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -24,6 +24,7 @@
import org.jboss.portal.cms.CMSException;
import org.jboss.portal.cms.Command;
+import org.jboss.portal.cms.util.NodeUtil;
import org.jboss.portal.common.invocation.InvocationContext;
import java.io.Serializable;
@@ -54,4 +55,13 @@
}
public abstract Object execute() throws CMSException;
+
+ protected void validatePath(String path)
+ {
+ boolean isValid = NodeUtil.isValidPath(path);
+ if (!isValid)
+ {
+ throw new CMSException("Path: " + path + " is not a legal path
element.");
+ }
+ }
}
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/AsyncStoreArchiveCommand.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/AsyncStoreArchiveCommand.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/AsyncStoreArchiveCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -158,8 +158,7 @@
}
CMS cms = this.findCMSService();
- JCRCommand storeArchiveCommand = (JCRCommand)cms.getCommandFactory().
- createStoreArchiveCommand(msRootPath, archiveBytes, msLanguage);
+ JCRCommand storeArchiveCommand =
(JCRCommand)cms.getCommandFactory().createStoreArchiveCommand(msRootPath, archiveBytes,
msLanguage);
cms.execute(storeArchiveCommand);
log.info("Async Processing finished..................");
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/ContentCreateCommand.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/ContentCreateCommand.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/ContentCreateCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -26,7 +26,6 @@
import org.apache.jackrabbit.value.DateValue;
import org.apache.jackrabbit.value.StringValue;
import org.jboss.portal.cms.CMSMimeMappings;
-import org.jboss.portal.cms.impl.jcr.JCRCommand;
import org.jboss.portal.cms.impl.jcr.JCRCommandContext;
import org.jboss.portal.cms.model.File;
@@ -37,23 +36,23 @@
* @author <a href="mailto:roy@jboss.org">Roy Russo</a>
* @author <a href="mailto:theute@jboss.org">Thomas Heute</a>
*/
-public class ContentCreateCommand extends JCRCommand
+public class ContentCreateCommand extends FileBasedJCRCommand
{
/** The serialVersionUID */
private static final long serialVersionUID = -2843288770902185840L;
- File mFile;
public ContentCreateCommand(File file)
{
- this.mFile = file;
+ super(file);
}
public Object execute()
{
try
{
+ String basePath = mFile.getBasePath();
JCRCommandContext context = (JCRCommandContext)getContext();
- Node fileNode = (Node)context.getSession().getItem(mFile.getBasePath());
+ Node fileNode = (Node)context.getSession().getItem(basePath);
Node contentNode =
fileNode.addNode(mFile.getContent().getLocale().getLanguage(),
"portalcms:content");
contentNode.setProperty("jcr:encoding", "UTF-8");
@@ -72,7 +71,7 @@
}
else
{
- String fileExt =
mFile.getBasePath().substring(mFile.getBasePath().lastIndexOf(".") + 1,
mFile.getBasePath().length());
+ String fileExt = basePath.substring(basePath.lastIndexOf(".") + 1,
basePath.length());
CMSMimeMappings mapper = new CMSMimeMappings();
if (mapper.getMimeType(fileExt) != null)
{
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/CopyCommand.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/CopyCommand.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/CopyCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -22,8 +22,10 @@
******************************************************************************/
package org.jboss.portal.cms.impl.jcr.command;
+import org.jboss.portal.cms.CMSException;
import org.jboss.portal.cms.impl.jcr.JCRCommand;
import org.jboss.portal.cms.impl.jcr.util.VersionUtil;
+import org.jboss.portal.cms.util.NodeUtil;
import javax.jcr.Item;
import javax.jcr.Node;
@@ -42,6 +44,8 @@
public CopyCommand(String sFromPath, String sToPath)
{
+ validatePath(sFromPath);
+ validatePath(sToPath);
this.msFromPath = sFromPath;
this.msToPath = sToPath;
}
Copied:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileBasedJCRCommand.java
(from rev 12748,
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileBasedJCRCommand.java)
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileBasedJCRCommand.java
(rev 0)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileBasedJCRCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -0,0 +1,43 @@
+/*
+* JBoss, a division of Red Hat
+* Copyright 2008, Red Hat Middleware, LLC, and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+*/
+
+package org.jboss.portal.cms.impl.jcr.command;
+
+import org.jboss.portal.cms.impl.jcr.JCRCommand;
+import org.jboss.portal.cms.model.File;
+import org.jboss.portal.common.util.ParameterValidation;
+
+/**
+ * @author <a href="mailto:chris.laprun@jboss.com">Chris
Laprun</a>
+ * @version $Revision$
+ */
+public abstract class FileBasedJCRCommand extends JCRCommand
+{
+ File mFile;
+
+ public FileBasedJCRCommand(File file)
+ {
+ ParameterValidation.throwIllegalArgExceptionIfNull(file, "file");
+ validatePath(file.getBasePath());
+ mFile = file;
+ }
+}
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileCreateCommand.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileCreateCommand.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileCreateCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -38,17 +38,15 @@
* @author <a href="mailto:roy@jboss.org">Roy Russo</a>
* @author <a href="mailto:theute@jboss.org">Thomas Heute</a>
*/
-public class FileCreateCommand extends JCRCommand
+public class FileCreateCommand extends FileBasedJCRCommand
{
/** The serialVersionUID */
private static final long serialVersionUID = -653823238247348749L;
private static Logger log = Logger.getLogger(FileCreateCommand.class);
-
- File mFile;
public FileCreateCommand(File file)
{
- this.mFile = file;
+ super(file);
}
public Object execute()
@@ -56,20 +54,15 @@
try
{
//Validate the FilePath
- boolean isValid = NodeUtil.isValidPath(mFile.getBasePath());
- if(!isValid)
- {
- throw new CMSException("Path: "+mFile.getBasePath()+" is
invalid");
- }
-
- JCRCommand existsCMD =
(JCRCommand)context.getCommandFactory().createItemExistsCommand(mFile.getBasePath());
+ String basePath = mFile.getBasePath();
+ JCRCommand existsCMD =
(JCRCommand)context.getCommandFactory().createItemExistsCommand(basePath);
Boolean bExists = (Boolean)context.execute(existsCMD);
//If fileNode exists already, ignore the creation.
if (!bExists.booleanValue())
{
- String parentPath = NodeUtil.getParentPath(mFile.getBasePath());
- String nodeName = NodeUtil.getNodeName(mFile.getBasePath());
+ String parentPath = NodeUtil.getParentPath(basePath);
+ String nodeName = NodeUtil.getNodeName(basePath);
//Make sure the Path hierarchy is complete
ResourceUtil.createParentHierarchy(context, parentPath);
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateAndVersionCommand.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateAndVersionCommand.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateAndVersionCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -26,7 +26,6 @@
import org.apache.jackrabbit.value.DateValue;
import org.apache.jackrabbit.value.StringValue;
import org.jboss.portal.cms.CMSMimeMappings;
-import org.jboss.portal.cms.impl.jcr.JCRCommand;
import org.jboss.portal.cms.impl.jcr.util.VersionUtil;
import org.jboss.portal.cms.model.File;
@@ -34,11 +33,10 @@
import java.util.Calendar;
/** @author <a href="mailto:roy@jboss.org">Roy Russo</a> */
-public class FileUpdateAndVersionCommand extends JCRCommand
+public class FileUpdateAndVersionCommand extends FileBasedJCRCommand
{
/** The serialVersionUID */
private static final long serialVersionUID = 882238623005109537L;
- File mFile;
boolean bMakeLive;
/**
@@ -48,7 +46,7 @@
*/
public FileUpdateAndVersionCommand(File file, boolean makeLive)
{
- this.mFile = file;
+ super(file);
this.bMakeLive = makeLive;
}
@@ -70,13 +68,14 @@
contentNode.setProperty("portalcms:size", new StringValue(String
.valueOf(mFile.getContent().getBytes().length)));
+ String basePath = mFile.getBasePath();
if (mFile.getContent().getMimeType() != null)
{
contentNode.setProperty("jcr:mimeType",
mFile.getContent().getMimeType());
}
else
{
- String fileExt =
mFile.getBasePath().substring(mFile.getBasePath().lastIndexOf(".") + 1,
mFile.getBasePath().length());
+ String fileExt = basePath.substring(basePath.lastIndexOf(".") + 1,
basePath.length());
CMSMimeMappings mapper = new CMSMimeMappings();
if (mapper.getMimeType(fileExt) != null)
{
@@ -93,7 +92,7 @@
VersionUtil.createVersion(versionNode, this.bMakeLive);
//Update the lastModified Property of the FileNode of this content
- Node fileNode = (Node)context.getSession().getItem(mFile.getBasePath());
+ Node fileNode = (Node)context.getSession().getItem(basePath);
fileNode.setProperty("jcr:lastModified", timestamp);
// Update the folder modified date
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateCommand.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateCommand.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -26,7 +26,6 @@
import org.apache.jackrabbit.value.DateValue;
import org.apache.jackrabbit.value.StringValue;
import org.jboss.portal.cms.CMSMimeMappings;
-import org.jboss.portal.cms.impl.jcr.JCRCommand;
import org.jboss.portal.cms.model.File;
import javax.jcr.Node;
@@ -34,12 +33,10 @@
import java.util.Calendar;
/** @author <a href="mailto:roy@jboss.org">Roy Russo</a> */
-public class FileUpdateCommand extends JCRCommand
+public class FileUpdateCommand extends FileBasedJCRCommand
{
/** The serialVersionUID */
private static final long serialVersionUID = 882238623005109537L;
- File mFile;
- boolean bMakeLive;
/**
* Updates a given file content in the repo, creating a new version.
@@ -48,7 +45,7 @@
*/
public FileUpdateCommand(File file)
{
- this.mFile = file;
+ super(file);
}
public Object execute()
@@ -69,13 +66,14 @@
contentNode.setProperty("portalcms:size", new StringValue(String
.valueOf(mFile.getContent().getBytes().length)));
+ String basePath = mFile.getBasePath();
if (mFile.getContent().getMimeType() != null)
{
contentNode.setProperty("jcr:mimeType",
mFile.getContent().getMimeType());
}
else
{
- String fileExt =
mFile.getBasePath().substring(mFile.getBasePath().lastIndexOf(".") + 1,
mFile.getBasePath().length());
+ String fileExt = basePath.substring(basePath.lastIndexOf(".") + 1,
basePath.length());
CMSMimeMappings mapper = new CMSMimeMappings();
if (mapper.getMimeType(fileExt) != null)
{
@@ -88,7 +86,7 @@
}
//Update the lastModified Property of the FileNode of this content
- Node fileNode = (Node)context.getSession().getItem(mFile.getBasePath());
+ Node fileNode = (Node)context.getSession().getItem(basePath);
fileNode.setProperty("jcr:lastModified", timestamp);
// Update the folder modified date
Copied:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderBasedJCRCommand.java
(from rev 12748,
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderBasedJCRCommand.java)
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderBasedJCRCommand.java
(rev 0)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderBasedJCRCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -0,0 +1,43 @@
+/*
+* JBoss, a division of Red Hat
+* Copyright 2008, Red Hat Middleware, LLC, and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+*/
+
+package org.jboss.portal.cms.impl.jcr.command;
+
+import org.jboss.portal.cms.impl.jcr.JCRCommand;
+import org.jboss.portal.cms.model.Folder;
+import org.jboss.portal.common.util.ParameterValidation;
+
+/**
+ * @author <a href="mailto:chris.laprun@jboss.com">Chris
Laprun</a>
+ * @version $Revision$
+ */
+public abstract class FolderBasedJCRCommand extends JCRCommand
+{
+ Folder mFolder;
+
+ public FolderBasedJCRCommand(Folder folder)
+ {
+ ParameterValidation.throwIllegalArgExceptionIfNull(folder, "folder");
+ validatePath(folder.getBasePath());
+ mFolder = folder;
+ }
+}
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderCreateCommand.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderCreateCommand.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderCreateCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -40,33 +40,25 @@
* @author <a href="mailto:roy@jboss.org">Roy Russo</a>
* @author <a href="mailto:theute@jboss.org">Thomas Heute</a>
*/
-public class FolderCreateCommand extends JCRCommand
+public class FolderCreateCommand extends FolderBasedJCRCommand
{
/** The serialVersionUID */
private static final long serialVersionUID = -3007711915681479942L;
private static Logger log = Logger.getLogger(FolderCreateCommand.class);
-
- Folder mFolder;
public FolderCreateCommand(Folder folder)
{
- this.mFolder = folder;
+ super(folder);
}
public Object execute()
{
try
{
- //Validate the FolderPath
- boolean isValid = NodeUtil.isValidPath(mFolder.getBasePath());
- if(!isValid)
- {
- throw new CMSException("Path: "+mFolder.getBasePath()+" is
invalid");
- }
+ String basePath = mFolder.getBasePath();
+ String parentPath = NodeUtil.getParentPath(basePath);
+ String nodeName = NodeUtil.getNodeName(basePath);
- String parentPath = NodeUtil.getParentPath(mFolder.getBasePath());
- String nodeName = NodeUtil.getNodeName(mFolder.getBasePath());
-
//Make sure the Path hierarchy is complete
ResourceUtil.createParentHierarchy(context, parentPath);
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderUpdateCommand.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderUpdateCommand.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderUpdateCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -31,16 +31,14 @@
import java.util.Calendar;
/** @author <a href="mailto:roy@jboss.org">Roy Russo</a> */
-public class FolderUpdateCommand extends JCRCommand
+public class FolderUpdateCommand extends FolderBasedJCRCommand
{
/** The serialVersionUID */
private static final long serialVersionUID = 6606462970577037966L;
- Folder mFolder;
-
public FolderUpdateCommand(Folder folder)
{
- this.mFolder = folder;
+ super(folder);
}
public Object execute()
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/MoveCommand.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/MoveCommand.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/MoveCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -36,6 +36,8 @@
public MoveCommand(String sFromPath, String sToPath)
{
+ validatePath(sFromPath);
+ validatePath(sToPath);
this.msFromPath = sFromPath;
this.msToPath = sToPath;
}
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/RenameCommand.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/RenameCommand.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/RenameCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -37,6 +37,7 @@
public RenameCommand(String sPath, String sNewName)
{
+ validatePath(sNewName);
this.msPath = sPath;
this.msNewName = sNewName;
}
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -43,6 +43,7 @@
import java.util.Enumeration;
import java.util.Locale;
import java.util.StringTokenizer;
+import java.util.regex.Pattern;
/**
* Saves an uploaded archive to the repo.
@@ -62,7 +63,6 @@
/**
* @param sRootPath
- * @param is
* @param sLanguage
*/
public StoreArchiveCommand(String sRootPath, byte[] archiveBytes, String sLanguage)
@@ -88,14 +88,30 @@
while (entries.hasMoreElements())
{
zipEntry = (ZipEntry)entries.nextElement();
- String itemName = zipEntry.getName();
+
if (!zipEntry.isDirectory())
{
- this.addFile(zipFile, zipEntry);
+ String itemName = zipEntry.getName();
+ if(!NodeUtil.CHECK_FOR_XSS_PATTERN.matcher(itemName).matches())
+ {
+ log.info("Zip file: '" + itemName + "' is not a
valid file name. It will be skipped.");
+ }
+ else
+ {
+ this.addFile(zipFile, zipEntry);
+ }
}
else // isDirectory
{
- this.addFolder(zipEntry);
+ String itemName = zipEntry.getName();
+ if(!NodeUtil.CHECK_FOR_XSS_PATTERN.matcher(itemName).matches())
+ {
+ log.info("Zip file: '" + itemName + "' is not a
valid file name. It will be skipped.");
+ }
+ else
+ {
+ this.addFolder(zipEntry);
+ }
}
}
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/util/NodeUtil.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/util/NodeUtil.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/main/java/org/jboss/portal/cms/util/NodeUtil.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -25,6 +25,7 @@
import javax.jcr.Node;
import javax.jcr.Property;
import javax.jcr.PropertyIterator;
+import java.util.regex.Pattern;
/**
* Helper class for dealing with Nodes. Similar to common file utility functions, for
now
@@ -34,6 +35,7 @@
public class NodeUtil
{
public static final String PATH_SEPARATOR = "/";
+ public static final Pattern CHECK_FOR_XSS_PATTERN =
Pattern.compile("[^<>\\\\(\\\\)=]*");
/**
* Returns the parent basePath of the Node.
@@ -91,15 +93,12 @@
*/
public static boolean isValidPath(String sPath)
{
- if ((sPath == null) ||
- (sPath.equals(PATH_SEPARATOR)) ||
- (sPath.endsWith(PATH_SEPARATOR)) ||
- (!sPath.startsWith(PATH_SEPARATOR)) ||
- (sPath.equals("")))
- {
- return false;
- }
- return true;
+ return sPath != null &&
+ !sPath.equals(PATH_SEPARATOR) &&
+ !sPath.endsWith(PATH_SEPARATOR) &&
+ sPath.startsWith(PATH_SEPARATOR) &&
+ !sPath.equals("") &&
+ CHECK_FOR_XSS_PATTERN.matcher(sPath).matches();
}
/**
Modified:
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/test/java/org/jboss/portal/cms/test/commands/TestFileArchiveUpload.java
===================================================================
---
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/test/java/org/jboss/portal/cms/test/commands/TestFileArchiveUpload.java 2009-01-31
16:02:41 UTC (rev 12750)
+++
modules/cms/tags/JBP_CMS_1_2_4/cms-jackrabbit/src/test/java/org/jboss/portal/cms/test/commands/TestFileArchiveUpload.java 2009-01-31
16:06:23 UTC (rev 12751)
@@ -63,22 +63,47 @@
public void testArchiveUpload() throws CMSException, IOException
{
//create archive
- this.runArchive();
+ this.runArchive(this.sZipFile);
this.assertArchiveUploadCreate();
//update archive
- this.runArchive();
+ this.runArchive(this.sZipFile);
this.assertArchiveUploadUpdate();
-
}
+
+ @Test
+ public void testBadArchiveUpload() throws IOException
+ {
+ this.runArchive("jcr/bad_cms.zip");
+
+ Command listCMD =
service.getCommandFactory().createFolderGetListCommand("/");
+ Folder whopper = (Folder)service.execute(listCMD);
+ List folders = whopper.getFolders();
+ List files = whopper.getFiles();
+ assertEquals("Folder Size incorrect", folders.size(), 0);
+ assertEquals("File Size incorrect", files.size(), 0);
+ }
+
+ @Test
+ public void testInternationalUpload() throws IOException
+ {
+ this.runArchive("jcr/prueba.zip");
+
+ Command listCMD =
service.getCommandFactory().createFolderGetListCommand("/prueba");
+ Folder whopper = (Folder)service.execute(listCMD);
+ List folders = whopper.getFolders();
+ List files = whopper.getFiles();
+ assertEquals("Folder Size incorrect", folders.size(), 0);
+ assertEquals("File Size incorrect", files.size(), 2);
+ }
- private void runArchive() throws IOException
+ private void runArchive(String sZipFile) throws IOException
{
service.setDefaultLocale(Locale.ENGLISH.getLanguage());
InputStream is = null;
try
{
- is =
IOTools.safeBufferedWrapper(Thread.currentThread().getContextClassLoader().getResourceAsStream(this.sZipFile));
+ is =
IOTools.safeBufferedWrapper(Thread.currentThread().getContextClassLoader().getResourceAsStream(sZipFile));
byte[] archiveBytes = IOTools.getBytes(is);
Command storearchiveCMD =
service.getCommandFactory().createStoreArchiveCommand("", archiveBytes,
"en");
service.execute(storearchiveCMD);