JBoss Portal SVN: r12750 - branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin.
by portal-commits@lists.jboss.org
Author: thomas.heute(a)jboss.com
Date: 2009-01-31 11:02:41 -0500 (Sat, 31 Jan 2009)
New Revision: 12750
Modified:
branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
Log:
update error handling
Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
===================================================================
--- branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 16:02:05 UTC (rev 12749)
+++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 16:02:41 UTC (rev 12750)
@@ -925,19 +925,6 @@
folder.setName(sFolderName);
folder.setBasePath(sNewPath);
- if (!CHECK_FOR_XSS_PATTERN.matcher(sFolderName).matches() )
- {
- // Invalid folder name
- aRes.setRenderParameter("op", CMSAdminConstants.OP_CONFIRM_CREATE_COLLECTION_VALIDATION_ERROR);
- aRes.setRenderParameter("path", aReq.getParameter("destination"));
-
- //used to remember the data already submitted by the user
- aRes.setRenderParameter("error:message", CMSAdminConstants.CMS_FOLDERNAME_INVALID);
- aRes.setRenderParameter("error:newcollectionname", aReq.getParameter("newcollectionname"));
- aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription"));
- return;
- }
-
try
{
Command saveCMD = CMSService.getCommandFactory().createFolderSaveCommand(folder);
@@ -1389,7 +1376,7 @@
String sLanguage = aReq.getParameter("language");
//Perform server side data validation
- if (sFileName == null || sFileName.trim().length() == 0 || !CHECK_FOR_XSS_PATTERN.matcher(sFileName).matches() )
+ if (sFileName == null || sFileName.trim().length() == 0)
{
//Validation Error occurred
//FileName should not be empty
@@ -1442,7 +1429,11 @@
Boolean bExists = null;
try
{
- bExists = (Boolean)CMSService.execute(existsCMD);
+ if (!CHECK_FOR_XSS_PATTERN.matcher(content.getBasePath()).matches())
+ {
+ throw new CMSException(content.getBasePath() + " is not a legal path element");
+ }
+ bExists = (Boolean)CMSService.execute(existsCMD);
}
catch (CMSException cme)
{
15 years, 3 months
JBoss Portal SVN: r12749 - in modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr: command and 1 other directory.
by portal-commits@lists.jboss.org
Author: thomas.heute(a)jboss.com
Date: 2009-01-31 11:02:05 -0500 (Sat, 31 Jan 2009)
New Revision: 12749
Modified:
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java
Log:
minor
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java 2009-01-31 16:02:05 UTC (rev 12749)
@@ -61,7 +61,7 @@
boolean isValid = NodeUtil.isValidPath(path);
if (!isValid)
{
- throw new CMSException("Path: " + path + " is invalid.");
+ throw new CMSException("Path: " + path + " is not a legal path element.");
}
}
}
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java 2009-01-31 16:02:05 UTC (rev 12749)
@@ -94,7 +94,6 @@
String itemName = zipEntry.getName();
if(!NodeUtil.CHECK_FOR_XSS_PATTERN.matcher(itemName).matches())
{
- System.out.println("******** itemName = " + itemName);
log.info("Zip file: '" + itemName + "' is not a valid file name. It will be skipped.");
}
else
@@ -104,7 +103,15 @@
}
else // isDirectory
{
- this.addFolder(zipEntry);
+ String itemName = zipEntry.getName();
+ if(!NodeUtil.CHECK_FOR_XSS_PATTERN.matcher(itemName).matches())
+ {
+ log.info("Zip file: '" + itemName + "' is not a valid file name. It will be skipped.");
+ }
+ else
+ {
+ this.addFolder(zipEntry);
+ }
}
}
15 years, 3 months
JBoss Portal SVN: r12748 - in modules/cms/trunk/cms-jackrabbit/src: main/java/org/jboss/portal/cms/impl/jcr/command and 2 other directories.
by portal-commits@lists.jboss.org
Author: chris.laprun(a)jboss.com
Date: 2009-01-31 10:08:15 -0500 (Sat, 31 Jan 2009)
New Revision: 12748
Added:
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileBasedJCRCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderBasedJCRCommand.java
Modified:
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/AsyncStoreArchiveCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/ContentCreateCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/CopyCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileCreateCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateAndVersionCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderCreateCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderUpdateCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/MoveCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/RenameCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java
modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/util/NodeUtil.java
modules/cms/trunk/cms-jackrabbit/src/test/java/org/jboss/portal/cms/test/commands/TestFileArchiveUpload.java
Log:
- Synchro commit: fail early if we try to create an invalid file or path.
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -24,6 +24,7 @@
import org.jboss.portal.cms.CMSException;
import org.jboss.portal.cms.Command;
+import org.jboss.portal.cms.util.NodeUtil;
import org.jboss.portal.common.invocation.InvocationContext;
import java.io.Serializable;
@@ -54,4 +55,13 @@
}
public abstract Object execute() throws CMSException;
+
+ protected void validatePath(String path)
+ {
+ boolean isValid = NodeUtil.isValidPath(path);
+ if (!isValid)
+ {
+ throw new CMSException("Path: " + path + " is invalid.");
+ }
+ }
}
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/AsyncStoreArchiveCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/AsyncStoreArchiveCommand.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/AsyncStoreArchiveCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -158,8 +158,7 @@
}
CMS cms = this.findCMSService();
- JCRCommand storeArchiveCommand = (JCRCommand)cms.getCommandFactory().
- createStoreArchiveCommand(msRootPath, archiveBytes, msLanguage);
+ JCRCommand storeArchiveCommand = (JCRCommand)cms.getCommandFactory().createStoreArchiveCommand(msRootPath, archiveBytes, msLanguage);
cms.execute(storeArchiveCommand);
log.info("Async Processing finished..................");
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/ContentCreateCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/ContentCreateCommand.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/ContentCreateCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -26,7 +26,6 @@
import org.apache.jackrabbit.value.DateValue;
import org.apache.jackrabbit.value.StringValue;
import org.jboss.portal.cms.CMSMimeMappings;
-import org.jboss.portal.cms.impl.jcr.JCRCommand;
import org.jboss.portal.cms.impl.jcr.JCRCommandContext;
import org.jboss.portal.cms.model.File;
@@ -37,23 +36,23 @@
* @author <a href="mailto:roy@jboss.org">Roy Russo</a>
* @author <a href="mailto:theute@jboss.org">Thomas Heute</a>
*/
-public class ContentCreateCommand extends JCRCommand
+public class ContentCreateCommand extends FileBasedJCRCommand
{
/** The serialVersionUID */
private static final long serialVersionUID = -2843288770902185840L;
- File mFile;
public ContentCreateCommand(File file)
{
- this.mFile = file;
+ super(file);
}
public Object execute()
{
try
{
+ String basePath = mFile.getBasePath();
JCRCommandContext context = (JCRCommandContext)getContext();
- Node fileNode = (Node)context.getSession().getItem(mFile.getBasePath());
+ Node fileNode = (Node)context.getSession().getItem(basePath);
Node contentNode = fileNode.addNode(mFile.getContent().getLocale().getLanguage(), "portalcms:content");
contentNode.setProperty("jcr:encoding", "UTF-8");
@@ -72,7 +71,7 @@
}
else
{
- String fileExt = mFile.getBasePath().substring(mFile.getBasePath().lastIndexOf(".") + 1, mFile.getBasePath().length());
+ String fileExt = basePath.substring(basePath.lastIndexOf(".") + 1, basePath.length());
CMSMimeMappings mapper = new CMSMimeMappings();
if (mapper.getMimeType(fileExt) != null)
{
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/CopyCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/CopyCommand.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/CopyCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -22,8 +22,10 @@
******************************************************************************/
package org.jboss.portal.cms.impl.jcr.command;
+import org.jboss.portal.cms.CMSException;
import org.jboss.portal.cms.impl.jcr.JCRCommand;
import org.jboss.portal.cms.impl.jcr.util.VersionUtil;
+import org.jboss.portal.cms.util.NodeUtil;
import javax.jcr.Item;
import javax.jcr.Node;
@@ -42,6 +44,8 @@
public CopyCommand(String sFromPath, String sToPath)
{
+ validatePath(sFromPath);
+ validatePath(sToPath);
this.msFromPath = sFromPath;
this.msToPath = sToPath;
}
Added: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileBasedJCRCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileBasedJCRCommand.java (rev 0)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileBasedJCRCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -0,0 +1,43 @@
+/*
+* JBoss, a division of Red Hat
+* Copyright 2008, Red Hat Middleware, LLC, and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+*/
+
+package org.jboss.portal.cms.impl.jcr.command;
+
+import org.jboss.portal.cms.impl.jcr.JCRCommand;
+import org.jboss.portal.cms.model.File;
+import org.jboss.portal.common.util.ParameterValidation;
+
+/**
+ * @author <a href="mailto:chris.laprun@jboss.com">Chris Laprun</a>
+ * @version $Revision$
+ */
+public abstract class FileBasedJCRCommand extends JCRCommand
+{
+ File mFile;
+
+ public FileBasedJCRCommand(File file)
+ {
+ ParameterValidation.throwIllegalArgExceptionIfNull(file, "file");
+ validatePath(file.getBasePath());
+ mFile = file;
+ }
+}
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileCreateCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileCreateCommand.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileCreateCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -38,17 +38,15 @@
* @author <a href="mailto:roy@jboss.org">Roy Russo</a>
* @author <a href="mailto:theute@jboss.org">Thomas Heute</a>
*/
-public class FileCreateCommand extends JCRCommand
+public class FileCreateCommand extends FileBasedJCRCommand
{
/** The serialVersionUID */
private static final long serialVersionUID = -653823238247348749L;
private static Logger log = Logger.getLogger(FileCreateCommand.class);
-
- File mFile;
public FileCreateCommand(File file)
{
- this.mFile = file;
+ super(file);
}
public Object execute()
@@ -56,20 +54,15 @@
try
{
//Validate the FilePath
- boolean isValid = NodeUtil.isValidPath(mFile.getBasePath());
- if(!isValid)
- {
- throw new CMSException("Path: "+mFile.getBasePath()+" is invalid");
- }
-
- JCRCommand existsCMD = (JCRCommand)context.getCommandFactory().createItemExistsCommand(mFile.getBasePath());
+ String basePath = mFile.getBasePath();
+ JCRCommand existsCMD = (JCRCommand)context.getCommandFactory().createItemExistsCommand(basePath);
Boolean bExists = (Boolean)context.execute(existsCMD);
//If fileNode exists already, ignore the creation.
if (!bExists.booleanValue())
{
- String parentPath = NodeUtil.getParentPath(mFile.getBasePath());
- String nodeName = NodeUtil.getNodeName(mFile.getBasePath());
+ String parentPath = NodeUtil.getParentPath(basePath);
+ String nodeName = NodeUtil.getNodeName(basePath);
//Make sure the Path hierarchy is complete
ResourceUtil.createParentHierarchy(context, parentPath);
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateAndVersionCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateAndVersionCommand.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateAndVersionCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -26,7 +26,6 @@
import org.apache.jackrabbit.value.DateValue;
import org.apache.jackrabbit.value.StringValue;
import org.jboss.portal.cms.CMSMimeMappings;
-import org.jboss.portal.cms.impl.jcr.JCRCommand;
import org.jboss.portal.cms.impl.jcr.util.VersionUtil;
import org.jboss.portal.cms.model.File;
@@ -34,11 +33,10 @@
import java.util.Calendar;
/** @author <a href="mailto:roy@jboss.org">Roy Russo</a> */
-public class FileUpdateAndVersionCommand extends JCRCommand
+public class FileUpdateAndVersionCommand extends FileBasedJCRCommand
{
/** The serialVersionUID */
private static final long serialVersionUID = 882238623005109537L;
- File mFile;
boolean bMakeLive;
/**
@@ -48,7 +46,7 @@
*/
public FileUpdateAndVersionCommand(File file, boolean makeLive)
{
- this.mFile = file;
+ super(file);
this.bMakeLive = makeLive;
}
@@ -70,13 +68,14 @@
contentNode.setProperty("portalcms:size", new StringValue(String
.valueOf(mFile.getContent().getBytes().length)));
+ String basePath = mFile.getBasePath();
if (mFile.getContent().getMimeType() != null)
{
contentNode.setProperty("jcr:mimeType", mFile.getContent().getMimeType());
}
else
{
- String fileExt = mFile.getBasePath().substring(mFile.getBasePath().lastIndexOf(".") + 1, mFile.getBasePath().length());
+ String fileExt = basePath.substring(basePath.lastIndexOf(".") + 1, basePath.length());
CMSMimeMappings mapper = new CMSMimeMappings();
if (mapper.getMimeType(fileExt) != null)
{
@@ -93,7 +92,7 @@
VersionUtil.createVersion(versionNode, this.bMakeLive);
//Update the lastModified Property of the FileNode of this content
- Node fileNode = (Node)context.getSession().getItem(mFile.getBasePath());
+ Node fileNode = (Node)context.getSession().getItem(basePath);
fileNode.setProperty("jcr:lastModified", timestamp);
// Update the folder modified date
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateCommand.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -26,7 +26,6 @@
import org.apache.jackrabbit.value.DateValue;
import org.apache.jackrabbit.value.StringValue;
import org.jboss.portal.cms.CMSMimeMappings;
-import org.jboss.portal.cms.impl.jcr.JCRCommand;
import org.jboss.portal.cms.model.File;
import javax.jcr.Node;
@@ -34,12 +33,10 @@
import java.util.Calendar;
/** @author <a href="mailto:roy@jboss.org">Roy Russo</a> */
-public class FileUpdateCommand extends JCRCommand
+public class FileUpdateCommand extends FileBasedJCRCommand
{
/** The serialVersionUID */
private static final long serialVersionUID = 882238623005109537L;
- File mFile;
- boolean bMakeLive;
/**
* Updates a given file content in the repo, creating a new version.
@@ -48,7 +45,7 @@
*/
public FileUpdateCommand(File file)
{
- this.mFile = file;
+ super(file);
}
public Object execute()
@@ -69,13 +66,14 @@
contentNode.setProperty("portalcms:size", new StringValue(String
.valueOf(mFile.getContent().getBytes().length)));
+ String basePath = mFile.getBasePath();
if (mFile.getContent().getMimeType() != null)
{
contentNode.setProperty("jcr:mimeType", mFile.getContent().getMimeType());
}
else
{
- String fileExt = mFile.getBasePath().substring(mFile.getBasePath().lastIndexOf(".") + 1, mFile.getBasePath().length());
+ String fileExt = basePath.substring(basePath.lastIndexOf(".") + 1, basePath.length());
CMSMimeMappings mapper = new CMSMimeMappings();
if (mapper.getMimeType(fileExt) != null)
{
@@ -88,7 +86,7 @@
}
//Update the lastModified Property of the FileNode of this content
- Node fileNode = (Node)context.getSession().getItem(mFile.getBasePath());
+ Node fileNode = (Node)context.getSession().getItem(basePath);
fileNode.setProperty("jcr:lastModified", timestamp);
// Update the folder modified date
Added: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderBasedJCRCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderBasedJCRCommand.java (rev 0)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderBasedJCRCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -0,0 +1,43 @@
+/*
+* JBoss, a division of Red Hat
+* Copyright 2008, Red Hat Middleware, LLC, and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+*/
+
+package org.jboss.portal.cms.impl.jcr.command;
+
+import org.jboss.portal.cms.impl.jcr.JCRCommand;
+import org.jboss.portal.cms.model.Folder;
+import org.jboss.portal.common.util.ParameterValidation;
+
+/**
+ * @author <a href="mailto:chris.laprun@jboss.com">Chris Laprun</a>
+ * @version $Revision$
+ */
+public abstract class FolderBasedJCRCommand extends JCRCommand
+{
+ Folder mFolder;
+
+ public FolderBasedJCRCommand(Folder folder)
+ {
+ ParameterValidation.throwIllegalArgExceptionIfNull(folder, "folder");
+ validatePath(folder.getBasePath());
+ mFolder = folder;
+ }
+}
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderCreateCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderCreateCommand.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderCreateCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -40,33 +40,25 @@
* @author <a href="mailto:roy@jboss.org">Roy Russo</a>
* @author <a href="mailto:theute@jboss.org">Thomas Heute</a>
*/
-public class FolderCreateCommand extends JCRCommand
+public class FolderCreateCommand extends FolderBasedJCRCommand
{
/** The serialVersionUID */
private static final long serialVersionUID = -3007711915681479942L;
private static Logger log = Logger.getLogger(FolderCreateCommand.class);
-
- Folder mFolder;
public FolderCreateCommand(Folder folder)
{
- this.mFolder = folder;
+ super(folder);
}
public Object execute()
{
try
{
- //Validate the FolderPath
- boolean isValid = NodeUtil.isValidPath(mFolder.getBasePath());
- if(!isValid)
- {
- throw new CMSException("Path: "+mFolder.getBasePath()+" is invalid");
- }
+ String basePath = mFolder.getBasePath();
+ String parentPath = NodeUtil.getParentPath(basePath);
+ String nodeName = NodeUtil.getNodeName(basePath);
- String parentPath = NodeUtil.getParentPath(mFolder.getBasePath());
- String nodeName = NodeUtil.getNodeName(mFolder.getBasePath());
-
//Make sure the Path hierarchy is complete
ResourceUtil.createParentHierarchy(context, parentPath);
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderUpdateCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderUpdateCommand.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderUpdateCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -31,16 +31,14 @@
import java.util.Calendar;
/** @author <a href="mailto:roy@jboss.org">Roy Russo</a> */
-public class FolderUpdateCommand extends JCRCommand
+public class FolderUpdateCommand extends FolderBasedJCRCommand
{
/** The serialVersionUID */
private static final long serialVersionUID = 6606462970577037966L;
- Folder mFolder;
-
public FolderUpdateCommand(Folder folder)
{
- this.mFolder = folder;
+ super(folder);
}
public Object execute()
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/MoveCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/MoveCommand.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/MoveCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -36,6 +36,8 @@
public MoveCommand(String sFromPath, String sToPath)
{
+ validatePath(sFromPath);
+ validatePath(sToPath);
this.msFromPath = sFromPath;
this.msToPath = sToPath;
}
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/RenameCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/RenameCommand.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/RenameCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -37,6 +37,7 @@
public RenameCommand(String sPath, String sNewName)
{
+ validatePath(sNewName);
this.msPath = sPath;
this.msNewName = sNewName;
}
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -43,6 +43,7 @@
import java.util.Enumeration;
import java.util.Locale;
import java.util.StringTokenizer;
+import java.util.regex.Pattern;
/**
* Saves an uploaded archive to the repo.
@@ -62,7 +63,6 @@
/**
* @param sRootPath
- * @param is
* @param sLanguage
*/
public StoreArchiveCommand(String sRootPath, byte[] archiveBytes, String sLanguage)
@@ -88,10 +88,19 @@
while (entries.hasMoreElements())
{
zipEntry = (ZipEntry)entries.nextElement();
- String itemName = zipEntry.getName();
+
if (!zipEntry.isDirectory())
{
- this.addFile(zipFile, zipEntry);
+ String itemName = zipEntry.getName();
+ if(!NodeUtil.CHECK_FOR_XSS_PATTERN.matcher(itemName).matches())
+ {
+ System.out.println("******** itemName = " + itemName);
+ log.info("Zip file: '" + itemName + "' is not a valid file name. It will be skipped.");
+ }
+ else
+ {
+ this.addFile(zipFile, zipEntry);
+ }
}
else // isDirectory
{
Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/util/NodeUtil.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/util/NodeUtil.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/util/NodeUtil.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -25,6 +25,7 @@
import javax.jcr.Node;
import javax.jcr.Property;
import javax.jcr.PropertyIterator;
+import java.util.regex.Pattern;
/**
* Helper class for dealing with Nodes. Similar to common file utility functions, for now
@@ -34,6 +35,7 @@
public class NodeUtil
{
public static final String PATH_SEPARATOR = "/";
+ public static final Pattern CHECK_FOR_XSS_PATTERN = Pattern.compile("[^<>\\\\(\\\\)=]*");
/**
* Returns the parent basePath of the Node.
@@ -91,15 +93,12 @@
*/
public static boolean isValidPath(String sPath)
{
- if ((sPath == null) ||
- (sPath.equals(PATH_SEPARATOR)) ||
- (sPath.endsWith(PATH_SEPARATOR)) ||
- (!sPath.startsWith(PATH_SEPARATOR)) ||
- (sPath.equals("")))
- {
- return false;
- }
- return true;
+ return sPath != null &&
+ !sPath.equals(PATH_SEPARATOR) &&
+ !sPath.endsWith(PATH_SEPARATOR) &&
+ sPath.startsWith(PATH_SEPARATOR) &&
+ !sPath.equals("") &&
+ CHECK_FOR_XSS_PATTERN.matcher(sPath).matches();
}
/**
Modified: modules/cms/trunk/cms-jackrabbit/src/test/java/org/jboss/portal/cms/test/commands/TestFileArchiveUpload.java
===================================================================
--- modules/cms/trunk/cms-jackrabbit/src/test/java/org/jboss/portal/cms/test/commands/TestFileArchiveUpload.java 2009-01-31 13:47:10 UTC (rev 12747)
+++ modules/cms/trunk/cms-jackrabbit/src/test/java/org/jboss/portal/cms/test/commands/TestFileArchiveUpload.java 2009-01-31 15:08:15 UTC (rev 12748)
@@ -63,22 +63,47 @@
public void testArchiveUpload() throws CMSException, IOException
{
//create archive
- this.runArchive();
+ this.runArchive(this.sZipFile);
this.assertArchiveUploadCreate();
//update archive
- this.runArchive();
+ this.runArchive(this.sZipFile);
this.assertArchiveUploadUpdate();
-
}
+
+ @Test
+ public void testBadArchiveUpload() throws IOException
+ {
+ this.runArchive("jcr/bad_cms.zip");
+
+ Command listCMD = service.getCommandFactory().createFolderGetListCommand("/");
+ Folder whopper = (Folder)service.execute(listCMD);
+ List folders = whopper.getFolders();
+ List files = whopper.getFiles();
+ assertEquals("Folder Size incorrect", folders.size(), 0);
+ assertEquals("File Size incorrect", files.size(), 0);
+ }
+
+ @Test
+ public void testInternationalUpload() throws IOException
+ {
+ this.runArchive("jcr/prueba.zip");
+
+ Command listCMD = service.getCommandFactory().createFolderGetListCommand("/prueba");
+ Folder whopper = (Folder)service.execute(listCMD);
+ List folders = whopper.getFolders();
+ List files = whopper.getFiles();
+ assertEquals("Folder Size incorrect", folders.size(), 0);
+ assertEquals("File Size incorrect", files.size(), 2);
+ }
- private void runArchive() throws IOException
+ private void runArchive(String sZipFile) throws IOException
{
service.setDefaultLocale(Locale.ENGLISH.getLanguage());
InputStream is = null;
try
{
- is = IOTools.safeBufferedWrapper(Thread.currentThread().getContextClassLoader().getResourceAsStream(this.sZipFile));
+ is = IOTools.safeBufferedWrapper(Thread.currentThread().getContextClassLoader().getResourceAsStream(sZipFile));
byte[] archiveBytes = IOTools.getBytes(is);
Command storearchiveCMD = service.getCommandFactory().createStoreArchiveCommand("", archiveBytes, "en");
service.execute(storearchiveCMD);
15 years, 3 months
JBoss Portal SVN: r12747 - in tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src: resources/portal-cms-war/WEB-INF/classes and 1 other directory.
by portal-commits@lists.jboss.org
Author: thomas.heute(a)jboss.com
Date: 2009-01-31 08:47:10 -0500 (Sat, 31 Jan 2009)
New Revision: 12747
Modified:
tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties
tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties
tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties
Log:
Forbid filenames and folders with < > ( )
Modified: tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
===================================================================
--- tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 13:44:17 UTC (rev 12746)
+++ tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 13:47:10 UTC (rev 12747)
@@ -925,6 +925,19 @@
folder.setName(sFolderName);
folder.setBasePath(sNewPath);
+ if (!CHECK_FOR_XSS_PATTERN.matcher(sFolderName).matches() )
+ {
+ // Invalid folder name
+ aRes.setRenderParameter("op", CMSAdminConstants.OP_CONFIRM_CREATE_COLLECTION_VALIDATION_ERROR);
+ aRes.setRenderParameter("path", aReq.getParameter("destination"));
+
+ //used to remember the data already submitted by the user
+ aRes.setRenderParameter("error:message", CMSAdminConstants.CMS_FOLDERNAME_INVALID);
+ aRes.setRenderParameter("error:newcollectionname", aReq.getParameter("newcollectionname"));
+ aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription"));
+ return;
+ }
+
try
{
Command saveCMD = CMSService.getCommandFactory().createFolderSaveCommand(folder);
@@ -1376,7 +1389,7 @@
String sLanguage = aReq.getParameter("language");
//Perform server side data validation
- if (sFileName == null || sFileName.trim().length() == 0)
+ if (sFileName == null || sFileName.trim().length() == 0 || !CHECK_FOR_XSS_PATTERN.matcher(sFileName).matches() )
{
//Validation Error occurred
//FileName should not be empty
@@ -1485,7 +1498,7 @@
sMakeLive = "on";
}
- if (!"".equals(sFilePath))
+ if (!"".equals(sFilePath) && !CHECK_FOR_XSS_PATTERN.matcher(sFilePath).matches())
{
String sContent = aReq.getParameter("elm1");
Modified: tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties
===================================================================
--- tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties 2009-01-31 13:44:17 UTC (rev 12746)
+++ tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties 2009-01-31 13:47:10 UTC (rev 12747)
@@ -141,8 +141,8 @@
CMS_MISSING_DOCUMENT=404 - Page Not Found
CMS_MISSING_DOCUMENT_DESCRIPTION=The document you tried to access is not available
-CMS_FILENAME_INVALID=File Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '|' or any whitespace character.
-CMS_FOLDERNAME_INVALID=Folder Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '|' or any whitespace character.
+CMS_FILENAME_INVALID=File Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' or any whitespace character.
+CMS_FOLDERNAME_INVALID=Folder Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' or any whitespace character.
CMS_MSG_DESTINATION_ALREADY_EXISTS=The command was not performed, because the destination already exists.
CMS_CANT_MOVE_SAME_DESTINATION=You cannot move a folder to the same location
Modified: tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties
===================================================================
--- tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties 2009-01-31 13:44:17 UTC (rev 12746)
+++ tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties 2009-01-31 13:47:10 UTC (rev 12747)
@@ -140,8 +140,8 @@
CMS_MISSING_DOCUMENT=404 - Pagina non trovata
CMS_MISSING_DOCUMENT_DESCRIPTION=Il documento a cui hai tentato di accedere non \u00e8 disponibile
-CMS_FILENAME_INVALID=Il nome del File non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '|' o lo spazio.
-CMS_FOLDERNAME_INVALID=Il nome della cartella non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '|' o lo spazio.
+CMS_FILENAME_INVALID=Il nome del File non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' o lo spazio.
+CMS_FOLDERNAME_INVALID=Il nome della cartella non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' o lo spazio.
CMS_MSG_DESTINATION_ALREADY_EXISTS=Il comando non pu\u00F2 essere eseguito, perch\u00e8 la destinazione esiste gi\u00e0.
CMS_CANT_MOVE_SAME_DESTINATION=Non puoi spostare la cartella nella stessa destinazione
Modified: tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties
===================================================================
--- tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties 2009-01-31 13:44:17 UTC (rev 12746)
+++ tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties 2009-01-31 13:47:10 UTC (rev 12747)
@@ -143,8 +143,8 @@
CMS_MISSING_DOCUMENT=404 - \u30da\u30fc\u30b8\u304c\u898b\u3064\u304b\u308a\u307e\u305b\u3093
CMS_MISSING_DOCUMENT_DESCRIPTION=\u3042\u306a\u305f\u304c\u30a2\u30af\u30bb\u30b9\u3057\u3088\u3046\u3068\u3057\u305f\u6587\u66f8\u306f\u5229\u7528\u3067\u304d\u307e\u305b\u3093\u3002
-CMS_FILENAME_INVALID=\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002
-CMS_FOLDERNAME_INVALID=\u30d5\u30a9\u30eb\u30c0\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002
+CMS_FILENAME_INVALID=\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002
+CMS_FOLDERNAME_INVALID=\u30d5\u30a9\u30eb\u30c0\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002
CMS_MSG_DESTINATION_ALREADY_EXISTS=\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u5b9f\u884c\u3055\u308c\u307e\u305b\u3093\u3067\u3057\u305f\u3002
CMS_CANT_MOVE_SAME_DESTINATION=\u540c\u3058\u30d5\u30a9\u30eb\u30c0\u306b\u30d5\u30a1\u30a4\u30eb\u3092\u79fb\u52d5\u3059\u308b\u3053\u3068\u306f\u3067\u304d\u307e\u305b\u3093\u3002
15 years, 3 months
JBoss Portal SVN: r12746 - in branches/Enterprise_Portal_Platform_4_3/core-cms/src: resources/portal-cms-war/WEB-INF/classes and 1 other directory.
by portal-commits@lists.jboss.org
Author: thomas.heute(a)jboss.com
Date: 2009-01-31 08:44:17 -0500 (Sat, 31 Jan 2009)
New Revision: 12746
Modified:
branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties
branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties
branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties
Log:
Forbid filenames and folders with < > ( )
Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
===================================================================
--- branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 11:07:13 UTC (rev 12745)
+++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 13:44:17 UTC (rev 12746)
@@ -925,6 +925,19 @@
folder.setName(sFolderName);
folder.setBasePath(sNewPath);
+ if (!CHECK_FOR_XSS_PATTERN.matcher(sFolderName).matches() )
+ {
+ // Invalid folder name
+ aRes.setRenderParameter("op", CMSAdminConstants.OP_CONFIRM_CREATE_COLLECTION_VALIDATION_ERROR);
+ aRes.setRenderParameter("path", aReq.getParameter("destination"));
+
+ //used to remember the data already submitted by the user
+ aRes.setRenderParameter("error:message", CMSAdminConstants.CMS_FOLDERNAME_INVALID);
+ aRes.setRenderParameter("error:newcollectionname", aReq.getParameter("newcollectionname"));
+ aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription"));
+ return;
+ }
+
try
{
Command saveCMD = CMSService.getCommandFactory().createFolderSaveCommand(folder);
@@ -1376,7 +1389,7 @@
String sLanguage = aReq.getParameter("language");
//Perform server side data validation
- if (sFileName == null || sFileName.trim().length() == 0)
+ if (sFileName == null || sFileName.trim().length() == 0 || !CHECK_FOR_XSS_PATTERN.matcher(sFileName).matches() )
{
//Validation Error occurred
//FileName should not be empty
@@ -1485,7 +1498,7 @@
sMakeLive = "on";
}
- if (!"".equals(sFilePath))
+ if (!"".equals(sFilePath) && !CHECK_FOR_XSS_PATTERN.matcher(sFilePath).matches())
{
String sContent = aReq.getParameter("elm1");
Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties
===================================================================
--- branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties 2009-01-31 11:07:13 UTC (rev 12745)
+++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties 2009-01-31 13:44:17 UTC (rev 12746)
@@ -141,8 +141,8 @@
CMS_MISSING_DOCUMENT=404 - Page Not Found
CMS_MISSING_DOCUMENT_DESCRIPTION=The document you tried to access is not available
-CMS_FILENAME_INVALID=File Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '|' or any whitespace character.
-CMS_FOLDERNAME_INVALID=Folder Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '|' or any whitespace character.
+CMS_FILENAME_INVALID=File Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' or any whitespace character.
+CMS_FOLDERNAME_INVALID=Folder Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' or any whitespace character.
CMS_MSG_DESTINATION_ALREADY_EXISTS=The command was not performed, because the destination already exists.
CMS_CANT_MOVE_SAME_DESTINATION=You cannot move a folder to the same location
Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties
===================================================================
--- branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties 2009-01-31 11:07:13 UTC (rev 12745)
+++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties 2009-01-31 13:44:17 UTC (rev 12746)
@@ -140,8 +140,8 @@
CMS_MISSING_DOCUMENT=404 - Pagina non trovata
CMS_MISSING_DOCUMENT_DESCRIPTION=Il documento a cui hai tentato di accedere non \u00e8 disponibile
-CMS_FILENAME_INVALID=Il nome del File non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '|' o lo spazio.
-CMS_FOLDERNAME_INVALID=Il nome della cartella non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '|' o lo spazio.
+CMS_FILENAME_INVALID=Il nome del File non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' o lo spazio.
+CMS_FOLDERNAME_INVALID=Il nome della cartella non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' o lo spazio.
CMS_MSG_DESTINATION_ALREADY_EXISTS=Il comando non pu\u00F2 essere eseguito, perch\u00e8 la destinazione esiste gi\u00e0.
CMS_CANT_MOVE_SAME_DESTINATION=Non puoi spostare la cartella nella stessa destinazione
Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties
===================================================================
--- branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties 2009-01-31 11:07:13 UTC (rev 12745)
+++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties 2009-01-31 13:44:17 UTC (rev 12746)
@@ -143,8 +143,8 @@
CMS_MISSING_DOCUMENT=404 - \u30da\u30fc\u30b8\u304c\u898b\u3064\u304b\u308a\u307e\u305b\u3093
CMS_MISSING_DOCUMENT_DESCRIPTION=\u3042\u306a\u305f\u304c\u30a2\u30af\u30bb\u30b9\u3057\u3088\u3046\u3068\u3057\u305f\u6587\u66f8\u306f\u5229\u7528\u3067\u304d\u307e\u305b\u3093\u3002
-CMS_FILENAME_INVALID=\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002
-CMS_FOLDERNAME_INVALID=\u30d5\u30a9\u30eb\u30c0\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002
+CMS_FILENAME_INVALID=\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002
+CMS_FOLDERNAME_INVALID=\u30d5\u30a9\u30eb\u30c0\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002
CMS_MSG_DESTINATION_ALREADY_EXISTS=\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u5b9f\u884c\u3055\u308c\u307e\u305b\u3093\u3067\u3057\u305f\u3002
CMS_CANT_MOVE_SAME_DESTINATION=\u540c\u3058\u30d5\u30a9\u30eb\u30c0\u306b\u30d5\u30a1\u30a4\u30eb\u3092\u79fb\u52d5\u3059\u308b\u3053\u3068\u306f\u3067\u304d\u307e\u305b\u3093\u3002
15 years, 3 months
JBoss Portal SVN: r12745 - tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin.
by portal-commits@lists.jboss.org
Author: thomas.heute(a)jboss.com
Date: 2009-01-31 06:07:13 -0500 (Sat, 31 Jan 2009)
New Revision: 12745
Modified:
tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
Log:
Merging from branch.
Should fail on XSS attempts (would require proper error handling)
Requires intensive testing on CMS admin :-/
Modified: tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
===================================================================
--- tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 11:03:32 UTC (rev 12744)
+++ tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 11:07:13 UTC (rev 12745)
@@ -1,6 +1,6 @@
/******************************************************************************
* JBoss, a division of Red Hat *
- * Copyright 2006, Red Hat Middleware, LLC, and individual *
+ * Copyright 2009, Red Hat Middleware, LLC, and individual *
* contributors as indicated by the @authors tag. See the *
* copyright.txt in the distribution for a full listing of *
* individual contributors. *
@@ -20,6 +20,7 @@
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
* 02110-1301 USA, or see the FSF site: http://www.fsf.org. *
******************************************************************************/
+
package org.jboss.portal.core.cms.ui.admin;
import org.apache.commons.fileupload.FileItem;
@@ -32,6 +33,7 @@
import org.jboss.portal.cms.impl.ContentImpl;
import org.jboss.portal.cms.impl.FileImpl;
import org.jboss.portal.cms.impl.FolderImpl;
+import org.jboss.portal.cms.impl.jcr.JCRCMS;
import org.jboss.portal.cms.model.Content;
import org.jboss.portal.cms.model.File;
import org.jboss.portal.cms.model.Folder;
@@ -44,9 +46,9 @@
import org.jboss.portal.cms.util.NodeUtil;
import org.jboss.portal.cms.workflow.ApprovePublish;
import org.jboss.portal.cms.workflow.CMSWorkflowUtil;
-import org.jboss.portal.cms.impl.jcr.JCRCMS;
+import org.jboss.portal.common.util.ParameterValidation;
+import org.jboss.portal.core.cms.command.StreamContentCommand;
import org.jboss.portal.core.cms.ui.Util;
-import org.jboss.portal.core.cms.command.StreamContentCommand;
import org.jboss.portal.core.controller.ControllerContext;
import org.jboss.portal.identity.AnonymousRole;
import org.jboss.portal.identity.IdentityException;
@@ -60,6 +62,7 @@
import org.jboss.portal.search.impl.jcr.JCRQuery;
import org.jboss.portal.search.impl.jcr.JCRQueryConverter;
import org.jboss.portal.security.PortalPermission;
+import org.jboss.portal.server.ParameterSanitizer;
import org.jboss.portal.server.request.URLContext;
import org.jboss.portal.server.request.URLFormat;
import org.jboss.portal.workflow.WorkflowException;
@@ -77,7 +80,8 @@
import javax.portlet.PortletSession;
import javax.portlet.UnavailableException;
import java.io.IOException;
-import java.io.InputStream;
+import java.text.Format;
+import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
@@ -85,11 +89,10 @@
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
+import java.util.ResourceBundle;
import java.util.Set;
import java.util.Vector;
-import java.util.ResourceBundle;
-import java.text.SimpleDateFormat;
-import java.text.Format;
+import java.util.regex.Pattern;
/**
* @author <a href="mailto:roy@jboss.org">Roy Russo</a>
@@ -105,6 +108,8 @@
private ApprovePublish approvePublish;
private AuthorizationManager authorizationManager;
private ResourceBundle resources = null;
+ private static final Pattern CHECK_FOR_XSS_PATTERN = Pattern.compile("[^<>\\(\\)=]*");
+ private static final String SLASH = "/";
public void init() throws PortletException
@@ -136,22 +141,22 @@
throw new PortletException("Authorization Service not found");
}
- this.initializeApprovePublishWorkflow();
+ this.initializeApprovePublishWorkflow();
}
-
+
/**
- *
+ *
*/
public void init(PortletConfig config) throws PortletException
{
super.init(config);
-
+
//Get the Resource Bundle for this Portlet
this.resources = config.getResourceBundle(Locale.getDefault());
}
/**
- *
+ *
*/
protected void doView(final JBossRenderRequest rReq, final JBossRenderResponse rRes)
throws PortletException, IOException, UnavailableException
@@ -161,8 +166,8 @@
String datePattern = bundle.getString(CMSAdminConstants.CMS_DATE_PATTERN);
Format dateFormat = new SimpleDateFormat(datePattern, rReq.getLocale());
rReq.setAttribute(CMSAdminConstants.DATE_FORMAT, dateFormat);
-
-
+
+
//check and make sure the CMSAdminPortlet is accessible to the current user
if (!this.isPortletAccessible(rReq))
{
@@ -202,38 +207,46 @@
{
throw new PortletException(e);
}
- }
+ }
}
-
- /**
- *
- * @param renderResponse
- * @throws IOException
- */
+
+ /** @throws IOException */
private void showAccessDeniedScreen(JBossRenderRequest rReq, JBossRenderResponse rRes) throws IOException, PortletException
{
- try
- {
- String sPath = rReq.getParameter("path");
- String sOp = rReq.getParameter("returnOp");
-
-
- rRes.setContentType("text/html");
- rReq.setAttribute("path", sPath);
- rReq.setAttribute("returnOp", sOp);
- javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/accessdenied.jsp");
- prd.include(rReq, rRes);
- }
- catch(Exception e)
- {
- throw new PortletException(e);
- }
+ try
+ {
+ String sPath = rReq.getParameter("path");
+ String sOp = rReq.getParameter("returnOp");
+
+
+ rRes.setContentType("text/html");
+ rReq.setAttribute("path", sPath);
+ rReq.setAttribute("returnOp", sOp);
+ javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/accessdenied.jsp");
+ prd.include(rReq, rRes);
+ }
+ catch (Exception e)
+ {
+ throw new PortletException(e);
+ }
}
private void internalDoView(JBossRenderRequest rReq, JBossRenderResponse rRes)
throws CMSException, PortletException, IOException
{
String op = rReq.getParameter("op");
+ String sPath = rReq.getParameter("path");
+ if (sPath != null)
+ {
+ sPath = ParameterSanitizer.sanitizeFromPattern(sPath, CHECK_FOR_XSS_PATTERN, SLASH);
+ }
+
+ String sNavPath = rReq.getParameter("navpath");
+ if (sNavPath != null)
+ {
+ sNavPath = ParameterSanitizer.sanitizeFromPattern(sNavPath, CHECK_FOR_XSS_PATTERN, SLASH);
+ }
+
if (op == null)
{
op = CMSAdminConstants.OP_MAIN;
@@ -241,21 +254,19 @@
if (CMSAdminConstants.OP_MAIN.equals(op)) // list page.
{
- String sPath = rReq.getParameter("path");
if (sPath == null)
{
- sPath = "/";
+ sPath = SLASH;
}
-
-
+
JCRCMS.enableUISecurityFilter();
Command listCMD = CMSService.getCommandFactory().createFolderGetListCommand(sPath);
Folder mainFolder = (Folder)CMSService.execute(listCMD);
-
+
List folders = new ArrayList();
List files = new ArrayList();
-
- if(mainFolder != null)
+
+ if (mainFolder != null)
{
folders = mainFolder.getFolders();
files = mainFolder.getFiles();
@@ -263,15 +274,15 @@
else
{
Object messages = rReq.getPortletSession().getAttribute("messages");
- if(messages == null)
+ if (messages == null)
{
messages = new ArrayList();
rReq.getPortletSession().setAttribute("messages", messages);
}
-
+
((List)messages).add(this.resources.getObject("CMS_MISSING_RESOURCE"));
}
-
+
JCRCMS.disableUISecurityFilter();
rRes.setContentType("text/html");
@@ -290,13 +301,13 @@
{
rReq.setAttribute("manageWorkflowAccessible", new Boolean(false));
}
-
+
//Messages
- if(rReq.getPortletSession().getAttribute("messages") != null)
+ if (rReq.getPortletSession().getAttribute("messages") != null)
{
Object messages = rReq.getPortletSession().getAttribute("messages");
rReq.getPortletSession().removeAttribute("messages");
-
+
rReq.setAttribute("messages", messages);
}
@@ -307,42 +318,42 @@
{
try
{
- String sNavPath = rReq.getParameter("navpath");
-
List folders = this.getFolderList(sNavPath);
- if((folders == null || folders.isEmpty()) &&
- (sNavPath != null && !sNavPath.equals("/")))
+ if ((folders == null || folders.isEmpty()) &&
+ (sNavPath != null && !sNavPath.equals(SLASH)))
{
sNavPath = NodeUtil.getParentPath(sNavPath);
folders = this.getFolderList(sNavPath);
}
-
+
rReq.setAttribute("folders", folders);
rRes.setContentType("text/html");
rReq.setAttribute("navpath", sNavPath);
-
- String sPath = rReq.getParameter("path");
+
rRes.setContentType("text/html");
rReq.setAttribute("createpath", sPath);
-
- if (rReq.getParameter("error:message") != null)
+
+ String parameter = rReq.getParameter("error:message");
+ if (parameter != null)
{
- rReq.setAttribute("error:message", rReq.getParameter("error:message"));
+ rReq.setAttribute("error:message", parameter);
}
- if (rReq.getParameter("error:newcollectionname") != null)
+ parameter = rReq.getParameter("error:newcollectionname");
+ if (parameter != null)
{
- rReq.setAttribute("error:newcollectionname", rReq.getParameter("error:newcollectionname"));
+ rReq.setAttribute("error:newcollectionname", parameter);
}
- if (rReq.getParameter("error:newcollectiondescription") != null)
+ parameter = rReq.getParameter("error:newcollectiondescription");
+ if (parameter != null)
{
- rReq.setAttribute("error:newcollectiondescription", rReq.getParameter("error:newcollectiondescription"));
+ rReq.setAttribute("error:newcollectiondescription", parameter);
}
-
-
+
+
javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/confirmcreatecollection.jsp");
prd.include(rReq, rRes);
}
- catch(Exception e)
+ catch (Exception e)
{
throw new PortletException(e);
}
@@ -351,17 +362,15 @@
{
try
{
- String sPath = rReq.getParameter("path");
- String sNavPath = rReq.getParameter("navpath");
-
+
List folders = this.getFolderList(sNavPath);
- if((folders == null || folders.isEmpty()) &&
- (sNavPath != null && !sNavPath.equals("/")))
+ if ((folders == null || folders.isEmpty()) &&
+ (sNavPath != null && !sNavPath.equals(SLASH)))
{
sNavPath = NodeUtil.getParentPath(sNavPath);
folders = this.getFolderList(sNavPath);
}
-
+
rReq.setAttribute("folders", folders);
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
@@ -370,15 +379,13 @@
javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/upload.jsp");
prd.include(rReq, rRes);
}
- catch(Exception e)
+ catch (Exception e)
{
throw new PortletException(e);
}
}
else if (CMSAdminConstants.OP_VIEWFILE.equals(op))
{
- String sPath = rReq.getParameter("path");
-
Command fileGetList = CMSService.getCommandFactory().createFileGetListCommand(sPath);
List contentList = (List)CMSService.execute(fileGetList);
@@ -459,17 +466,15 @@
{
try
{
- String sPath = rReq.getParameter("path");
- String sNavPath = rReq.getParameter("navpath");
-
+
List folders = this.getFolderList(sNavPath);
- if((folders == null || folders.isEmpty()) &&
- (sNavPath != null && !sNavPath.equals("/")))
+ if ((folders == null || folders.isEmpty()) &&
+ (sNavPath != null && !sNavPath.equals(SLASH)))
{
sNavPath = NodeUtil.getParentPath(sNavPath);
folders = this.getFolderList(sNavPath);
}
-
+
rReq.setAttribute("folders", folders);
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
@@ -477,7 +482,7 @@
javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/uploadarchive.jsp");
prd.include(rReq, rRes);
}
- catch(Exception e)
+ catch (Exception e)
{
throw new PortletException(e);
}
@@ -486,18 +491,16 @@
{
try
{
- String sPath = rReq.getParameter("path");
- String sNavPath = rReq.getParameter("navpath");
String sType = rReq.getParameter("type");
-
+
List folders = this.getFolderList(sNavPath);
- if((folders == null || folders.isEmpty()) &&
- (sNavPath != null && !sNavPath.equals("/")))
+ if ((folders == null || folders.isEmpty()) &&
+ (sNavPath != null && !sNavPath.equals(SLASH)))
{
sNavPath = NodeUtil.getParentPath(sNavPath);
folders = this.getFolderList(sNavPath);
}
-
+
rReq.setAttribute("folders", folders);
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
@@ -506,7 +509,7 @@
javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/confirmcopy.jsp");
prd.include(rReq, rRes);
}
- catch(Exception e)
+ catch (Exception e)
{
throw new PortletException(e);
}
@@ -515,18 +518,16 @@
{
try
{
- String sPath = rReq.getParameter("path");
- String sNavPath = rReq.getParameter("navpath");
String sType = rReq.getParameter("type");
-
+
List folders = this.getFolderList(sNavPath);
- if((folders == null || folders.isEmpty()) &&
- (sNavPath != null && !sNavPath.equals("/")))
+ if ((folders == null || folders.isEmpty()) &&
+ (sNavPath != null && !sNavPath.equals(SLASH)))
{
sNavPath = NodeUtil.getParentPath(sNavPath);
folders = this.getFolderList(sNavPath);
}
-
+
rReq.setAttribute("folders", folders);
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
@@ -535,14 +536,13 @@
javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/confirmmove.jsp");
prd.include(rReq, rRes);
}
- catch(Exception e)
+ catch (Exception e)
{
throw new PortletException(e);
}
}
else if (CMSAdminConstants.OP_CONFIRMDELETE.equals(op))
{
- String sPath = rReq.getParameter("path");
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/confirmdelete.jsp");
@@ -550,18 +550,16 @@
}
else if (CMSAdminConstants.OP_EDIT_BINARY.equals(op))
{
- String sPath = rReq.getParameter("path");
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
- rReq.setAttribute("language", rReq.getParameter("language"));
+ String language = rReq.getParameter("language");
+ ParameterSanitizer.sanitizeFromPattern(language, CHECK_FOR_XSS_PATTERN, "en");
+ rReq.setAttribute("language", language);
javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/editbinary.jsp");
prd.include(rReq, rRes);
}
- else
- if (CMSAdminConstants.OP_CREATENEWTEXT.equals(op) || CMSAdminConstants.OP_CREATEFILE_VALIDATION_ERROR.equals(op))
+ else if (CMSAdminConstants.OP_CREATENEWTEXT.equals(op) || CMSAdminConstants.OP_CREATEFILE_VALIDATION_ERROR.equals(op))
{
- String sPath = rReq.getParameter("path");
-
// get Base for editor
StringBuffer sbUrl = new StringBuffer();
sbUrl.append(rReq.getScheme());
@@ -588,32 +586,38 @@
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
- rReq.setAttribute("document_base_url", sbUrl.toString() + this.buildURL(rReq, "/"));
+ rReq.setAttribute("document_base_url", sbUrl.toString() + this.buildURL(rReq, SLASH));
//If a validation error occurred, re-populate data already submitted
- if (rReq.getParameter("error:content") != null)
+ String parameter = rReq.getParameter("error:content");
+ if (parameter != null)
{
- rReq.setAttribute("error:content", rReq.getParameter("error:content"));
+ rReq.setAttribute("error:content", parameter);
}
- if (rReq.getParameter("error:description") != null)
+ parameter = rReq.getParameter("error:description");
+ if (parameter != null)
{
- rReq.setAttribute("error:description", rReq.getParameter("error:description"));
+ rReq.setAttribute("error:description", parameter);
}
- if (rReq.getParameter("error:title") != null)
+ parameter = rReq.getParameter("error:title");
+ if (parameter != null)
{
- rReq.setAttribute("error:title", rReq.getParameter("error:title"));
+ rReq.setAttribute("error:title", parameter);
}
- if (rReq.getParameter("error:language") != null)
+ parameter = rReq.getParameter("error:language");
+ if (parameter != null)
{
- rReq.setAttribute("error:language", rReq.getParameter("error:language"));
+ rReq.setAttribute("error:language", parameter);
}
- if (rReq.getParameter("error:filename") != null)
+ parameter = rReq.getParameter("error:filename");
+ if (parameter != null)
{
- rReq.setAttribute("error:filename", rReq.getParameter("error:filename"));
+ rReq.setAttribute("error:filename", parameter);
}
- if (rReq.getParameter("error:message") != null)
+ parameter = rReq.getParameter("error:message");
+ if (parameter != null)
{
- rReq.setAttribute("error:message", rReq.getParameter("error:message"));
+ rReq.setAttribute("error:message", parameter);
}
javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/create.jsp");
@@ -621,8 +625,9 @@
}
else if (CMSAdminConstants.OP_EDIT.equals(op))
{
- String sPath = rReq.getParameter("path");
String sLanguage = rReq.getParameter("language");
+ ParameterSanitizer.sanitizeFromPattern(sLanguage, CHECK_FOR_XSS_PATTERN, "en");
+
String sVersion = rReq.getParameter("version");
StringBuffer sbUrl = new StringBuffer();
@@ -651,7 +656,7 @@
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
- rReq.setAttribute("document_base_url", sbUrl.toString() + this.buildURL(rReq, "/"));
+ rReq.setAttribute("document_base_url", sbUrl.toString() + this.buildURL(rReq, SLASH));
Command getCommand;
@@ -680,17 +685,14 @@
{
try
{
- String sPath = rReq.getParameter("path");
- String sNavPath = rReq.getParameter("navpath");
-
List folders = this.getFolderList(sNavPath);
- if((folders == null || folders.isEmpty()) &&
- (sNavPath != null && !sNavPath.equals("/")))
+ if ((folders == null || folders.isEmpty()) &&
+ (sNavPath != null && !sNavPath.equals(SLASH)))
{
sNavPath = NodeUtil.getParentPath(sNavPath);
folders = this.getFolderList(sNavPath);
}
-
+
rReq.setAttribute("folders", folders);
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
@@ -698,15 +700,15 @@
javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/exportarchive.jsp");
prd.include(rReq, rRes);
}
- catch(Exception e)
+ catch (Exception e)
{
throw new PortletException(e);
}
}
else if (CMSAdminConstants.OP_EXPORTARCHIVE_PICKUP.equals(op))
{
- String sPath = rReq.getParameter("path");
String sPickupFile = rReq.getParameter("filepath");
+ ParameterSanitizer.sanitizeFromPattern(sPickupFile, CHECK_FOR_XSS_PATTERN, SLASH);
rRes.setContentType("text/html");
PortletRequestDispatcher prd = null;
@@ -725,7 +727,6 @@
}
else if (CMSAdminConstants.OP_CONFIRMSECURE.equals(op))
{
- String sPath = rReq.getParameter("path");
String sConfirm = rReq.getParameter("confirm");
String returnOp = rReq.getParameter("returnOp");
@@ -786,13 +787,11 @@
else if (CMSAdminConstants.OP_VIEWPENDING.equals(op))
{
boolean isWorkflowManagementAccessible = this.isWorkflowManagementAccessible(rReq);
- if(!isWorkflowManagementAccessible)
+ if (!isWorkflowManagementAccessible)
{
this.showAccessDeniedScreen(rReq, rRes);
return;
}
-
- String sPath = rReq.getParameter("path");
if (this.getApprovePublish() != null)
{
@@ -809,30 +808,29 @@
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
-
+
javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/pending_items.jsp");
prd.include(rReq, rRes);
}
else if (CMSAdminConstants.OP_VIEWPENDINGPREVIEW.equals(op))
{
String processId = rReq.getParameter("pid");
- String path = rReq.getParameter("path");
String contentPath = rReq.getParameter("contentPath");
-
+
boolean isWorkflowManagementAccessible = this.isWorkflowManagementAccessible(rReq);
- if(!isWorkflowManagementAccessible)
+ if (!isWorkflowManagementAccessible)
{
this.showAccessDeniedScreen(rReq, rRes);
return;
}
-
- boolean hasWriteAccess = this.hasWriteAccess(rReq, path);
- if(!hasWriteAccess)
+
+ boolean hasWriteAccess = this.hasWriteAccess(rReq, sPath);
+ if (!hasWriteAccess)
{
this.showAccessDeniedScreen(rReq, rRes);
return;
}
-
+
if (this.getApprovePublish() != null)
{
try
@@ -845,12 +843,12 @@
rReq.setAttribute("pendingQueue", null);
}
}
-
+
Content pendingContent = CMSWorkflowUtil.getPendingContent(Long.parseLong(processId), contentPath);
String viewableContent = Util.getViewableContent(rReq, rRes, pendingContent.getContentAsString());
-
+
rReq.setAttribute("pendingPreviewContent", viewableContent);
-
+
StringBuffer sbUrl = new StringBuffer();
sbUrl.append(rReq.getScheme());
sbUrl.append("://");
@@ -862,12 +860,12 @@
sbUrl.append(rReq.getServerPort());
}
rRes.setContentType("text/html");
- rReq.setAttribute("currpath", path);
- rReq.setAttribute("document_base_url", sbUrl.toString() + this.buildURL(rReq, "/"));
-
+ rReq.setAttribute("currpath", sPath);
+ rReq.setAttribute("document_base_url", sbUrl.toString() + this.buildURL(rReq, SLASH));
+
javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/pending_items.jsp");
prd.include(rReq, rRes);
- }
+ }
}
public void processAction(final JBossActionRequest aReq, final JBossActionResponse aRes) throws PortletException
@@ -917,7 +915,7 @@
String sFolderDescription = aReq.getParameter("newcollectiondescription");
if (!"".equals(sCreatePath) && !"".equals(sFolderName))
{
- String sNewPath = FileUtil.cleanDoubleSlashes(sCreatePath + "/" + sFolderName);
+ String sNewPath = FileUtil.cleanDoubleSlashes(sCreatePath + SLASH + sFolderName);
Folder folder = new FolderImpl();
folder.setCreationDate(new Date());
@@ -932,9 +930,9 @@
Command saveCMD = CMSService.getCommandFactory().createFolderSaveCommand(folder);
CMSService.execute(saveCMD);
}
- catch(CMSException cme)
+ catch (CMSException cme)
{
- if(cme.hasPathFormatFailure())
+ if (cme.hasPathFormatFailure())
{
//Validation Error occurred
//FileName should not be empty
@@ -944,7 +942,7 @@
//used to remember the data already submitted by the user
aRes.setRenderParameter("error:message", CMSAdminConstants.CMS_FOLDERNAME_INVALID);
aRes.setRenderParameter("error:newcollectionname", aReq.getParameter("newcollectionname"));
- aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription"));
+ aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription"));
return;
}
@@ -956,7 +954,7 @@
aRes.setRenderParameter("op", CMSAdminConstants.OP_MAIN);
aRes.setRenderParameter("path", sNewPath);
- }
+ }
else
{
//Validation Error
@@ -966,7 +964,7 @@
//used to remember the data already submitted by the user
aRes.setRenderParameter("error:message", CMSAdminConstants.CMS_FOLDERNAME_INVALID);
aRes.setRenderParameter("error:newcollectionname", aReq.getParameter("newcollectionname"));
- aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription"));
+ aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription"));
}
}
else if (CMSAdminConstants.OP_UPLOADCONTENT.equals(op))
@@ -989,6 +987,8 @@
if (!item.isFormField())
{
String sFilename = item.getName();
+ sFilename = ParameterSanitizer.sanitizeFromPattern(sFilename, CHECK_FOR_XSS_PATTERN, "");
+
if (!"".equals(sFilename))
{
int backslashIndex = sFilename.lastIndexOf("\\");
@@ -998,7 +998,7 @@
}
else // unix
{
- backslashIndex = sFilename.lastIndexOf("/");
+ backslashIndex = sFilename.lastIndexOf(SLASH);
sFilename = sFilename.substring(backslashIndex + 1);
}
@@ -1016,12 +1016,12 @@
content.setMimeType("application/octet-stream");
}
- String sBasePath = FileUtil.cleanDoubleSlashes(sPath + "/" + sFilename);
+ String sBasePath = FileUtil.cleanDoubleSlashes(sPath + SLASH + sFilename);
file.setBasePath(sBasePath);
content.setTitle(sTitle);
content.setDescription(sDescription);
- content.setBasePath(sBasePath + "/" + new Locale(sLanguage));
+ content.setBasePath(sBasePath + SLASH + new Locale(sLanguage));
content.setBytes(item.get());
file.setContent(new Locale(sLanguage), content);
@@ -1050,21 +1050,23 @@
else
{
String fieldName = item.getFieldName();
+ String itemValue = item.getString(aReq.getCharacterEncoding());
+ itemValue = ParameterSanitizer.sanitizeFromPattern(itemValue, CHECK_FOR_XSS_PATTERN, "");
if ("destination".equals(fieldName))
{
- sPath = item.getString(aReq.getCharacterEncoding());
+ sPath = itemValue;
}
else if ("description".equals(fieldName))
{
- sDescription = item.getString(aReq.getCharacterEncoding());
+ sDescription = itemValue;
}
else if ("title".equals(fieldName))
{
- sTitle = item.getString(aReq.getCharacterEncoding());
+ sTitle = itemValue;
}
else if ("language".equals(fieldName))
{
- sLanguage = item.getString(aReq.getCharacterEncoding());
+ sLanguage = itemValue;
}
}
}
@@ -1100,26 +1102,26 @@
if (!item.isFormField())
{
byte[] archiveBytes = item.get();
-
+
Command storearchiveCMD = CMSService.getCommandFactory().createAsyncStoreArchiveCommand(sPath, archiveBytes, sLanguage);
-
+
List messages = new ArrayList();
-
+
try
{
- CMSService.execute(storearchiveCMD);
+ CMSService.execute(storearchiveCMD);
messages.add(this.resources.getObject("CMS_MSG_UPLOADARCHIVE_ASYNC"));
}
- catch(CMSException cme)
+ catch (CMSException cme)
{
String messageKey = cme.getMessageKey();
- if(messageKey != null && messageKey.trim().length() > 0)
+ if (messageKey != null && messageKey.trim().length() > 0)
{
messages.add(this.resources.getObject(messageKey));
}
}
-
-
+
+
aReq.getPortletSession().setAttribute("messages", messages);
aRes.setRenderParameter("path", FileUtil.cleanDoubleSlashes(sPath));
@@ -1134,7 +1136,7 @@
else if ("language".equals(fieldName))
{
sLanguage = item.getString(aReq.getCharacterEncoding());
- }
+ }
}
}
}
@@ -1151,27 +1153,27 @@
String sType = aReq.getParameter("type");
if (!"".equals(sTo) && !"".equals(sFrom) && !"".equals(sType))
{
- String sNodeName = sFrom.substring(sFrom.lastIndexOf("/") + 1, sFrom.length());
- sTo = FileUtil.cleanDoubleSlashes(sTo + "/" + sNodeName);
-
+ String sNodeName = sFrom.substring(sFrom.lastIndexOf(SLASH) + 1, sFrom.length());
+ sTo = FileUtil.cleanDoubleSlashes(sTo + SLASH + sNodeName);
+
// check if destination already exists
Command existsCMD = CMSService.getCommandFactory().createItemExistsCommand(sTo);
Boolean bExists = (Boolean)CMSService.execute(existsCMD);
- if (bExists.booleanValue())
- {
- List messages = new ArrayList();
- messages.add(this.resources.getObject("CMS_MSG_DESTINATION_ALREADY_EXISTS"));
- aReq.getPortletSession().setAttribute("messages", messages);
- try
- {
- String sParentPath = NodeUtil.getParentPath(sFrom);
- aRes.setRenderParameter("path", sParentPath);
- }
- catch (Exception e)
- {
+ if (bExists.booleanValue())
+ {
+ List messages = new ArrayList();
+ messages.add(this.resources.getObject("CMS_MSG_DESTINATION_ALREADY_EXISTS"));
+ aReq.getPortletSession().setAttribute("messages", messages);
+ try
+ {
+ String sParentPath = NodeUtil.getParentPath(sFrom);
+ aRes.setRenderParameter("path", sParentPath);
+ }
+ catch (Exception e)
+ {
- }
- return;
+ }
+ return;
}
Command copyCommand = CMSService.getCommandFactory().createCopyCommand(sFrom, sTo);
@@ -1193,7 +1195,7 @@
String sTo = aReq.getParameter("destination");
String sFrom = aReq.getParameter("source");
String sType = aReq.getParameter("type");
-
+
if (sTo.startsWith(sFrom))
{
List messages = new ArrayList();
@@ -1210,33 +1212,33 @@
}
return;
}
-
+
if (!"".equals(sTo) && !"".equals(sFrom) && !"".equals(sType))
{
- String sNodeName = sFrom.substring(sFrom.lastIndexOf("/") + 1, sFrom.length());
- sTo = FileUtil.cleanDoubleSlashes(sTo + "/" + sNodeName);
-
+ String sNodeName = sFrom.substring(sFrom.lastIndexOf(SLASH) + 1, sFrom.length());
+ sTo = FileUtil.cleanDoubleSlashes(sTo + SLASH + sNodeName);
+
// check if destination already exists
Command existsCMD = CMSService.getCommandFactory().createItemExistsCommand(sTo);
Boolean bExists = (Boolean)CMSService.execute(existsCMD);
if (bExists.booleanValue())
- {
- List messages = new ArrayList();
- messages.add(this.resources.getObject("CMS_MSG_DESTINATION_ALREADY_EXISTS"));
- aReq.getPortletSession().setAttribute("messages", messages);
- try
- {
- String sParentPath = NodeUtil.getParentPath(sFrom);
- aRes.setRenderParameter("path", sParentPath);
- }
- catch (Exception e)
- {
+ {
+ List messages = new ArrayList();
+ messages.add(this.resources.getObject("CMS_MSG_DESTINATION_ALREADY_EXISTS"));
+ aReq.getPortletSession().setAttribute("messages", messages);
+ try
+ {
+ String sParentPath = NodeUtil.getParentPath(sFrom);
+ aRes.setRenderParameter("path", sParentPath);
+ }
+ catch (Exception e)
+ {
- }
- return;
+ }
+ return;
}
-
+
Command moveCommand = CMSService.getCommandFactory().createMoveCommand(sFrom, sTo);
CMSService.execute(moveCommand);
if ("fo".equalsIgnoreCase(sType))
@@ -1246,7 +1248,7 @@
else if ("fi".equalsIgnoreCase(sType))
{
aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE);
- }
+ }
aRes.setRenderParameter("path", sTo);
}
@@ -1298,7 +1300,7 @@
}
else // unix
{
- backslashIndex = sFilename.lastIndexOf("/");
+ backslashIndex = sFilename.lastIndexOf(SLASH);
sFilename = sFilename.substring(backslashIndex + 1);
}
@@ -1319,7 +1321,7 @@
}
content.setTitle(sTitle);
content.setDescription(sDescription);
- content.setBasePath(sBasePath + "/" + sLanguage);
+ content.setBasePath(sBasePath + SLASH + sLanguage);
content.setBytes(item.get());
file.setContent(new Locale(sLanguage), content);
@@ -1396,7 +1398,7 @@
if (!"".equals(sFileName) && !"".equals(sDirectory))
{
String sContent = aReq.getParameter("elm1");
- String sNewFilePath = FileUtil.cleanDoubleSlashes(sDirectory + "/" + sFileName);
+ String sNewFilePath = FileUtil.cleanDoubleSlashes(sDirectory + SLASH + sFileName);
File file = new FileImpl();
Content content = new ContentImpl();
@@ -1417,7 +1419,7 @@
content.setTitle(sTitle);
content.setDescription(sDescription);
- content.setBasePath(sBasePath + "/" + new Locale(sLanguage));
+ content.setBasePath(sBasePath + SLASH + new Locale(sLanguage));
content.setBytes(sContent.getBytes());
file.setContent(new Locale(sLanguage), content);
@@ -1429,9 +1431,9 @@
{
bExists = (Boolean)CMSService.execute(existsCMD);
}
- catch(CMSException cme)
+ catch (CMSException cme)
{
- if(cme.hasPathFormatFailure())
+ if (cme.hasPathFormatFailure())
{
//Validation Error occurred
//FileName should not be empty
@@ -1455,7 +1457,7 @@
throw cme;
}
}
-
+
if (bExists.booleanValue()) // if file exists, update contentNode
{
Command cmdUpdate = CMSService.getCommandFactory().createUpdateFileCommand(file, content, true);
@@ -1505,7 +1507,7 @@
content.setTitle(sTitle);
content.setDescription(sDescription);
- content.setBasePath(sFilePath + "/" + new Locale(sLanguage).getLanguage());
+ content.setBasePath(sFilePath + SLASH + new Locale(sLanguage).getLanguage());
content.setBytes(sContent.getBytes());
file.setContent(new Locale(sLanguage), content);
@@ -1585,11 +1587,11 @@
else if (CMSAdminConstants.OP_APPROVE.equals(op))
{
boolean hasWriteAccess = this.hasWriteAccess(aReq, aReq.getParameter("path"));
- if(!hasWriteAccess)
+ if (!hasWriteAccess)
{
throw new CMSException("Access to this resource is denied");
}
-
+
String sManager = aReq.getUser().getUserName();
String sPID = aReq.getParameter("pid");
try
@@ -1619,11 +1621,11 @@
else if (CMSAdminConstants.OP_DENY.equals(op))
{
boolean hasWriteAccess = this.hasWriteAccess(aReq, aReq.getParameter("path"));
- if(!hasWriteAccess)
+ if (!hasWriteAccess)
{
throw new CMSException("Access to this resource is denied");
}
-
+
String sManager = aReq.getUser().getUserName();
String sPID = aReq.getParameter("pid");
try
@@ -1647,45 +1649,45 @@
}
return;
}
-
+
String filePath = aReq.getParameter("path");
String parentPath = null;
try
{
parentPath = NodeUtil.getParentPath(filePath);
}
- catch(Exception e)
+ catch (Exception e)
{
- parentPath = "/";
+ parentPath = SLASH;
}
-
+
//Check if this file still exists
Command existsCmd = this.CMSService.getCommandFactory().createItemExistsCommand(filePath);
- boolean exists = ((Boolean)this.CMSService.execute(existsCmd)).booleanValue();
- if(exists)
+ boolean exists = ((Boolean)this.CMSService.execute(existsCmd)).booleanValue();
+ if (exists)
{
aRes.setRenderParameter("path", filePath);
aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE);
}
else
- {
+ {
aRes.setRenderParameter("path", parentPath);
aRes.setRenderParameter("op", CMSAdminConstants.OP_MAIN);
}
}
- else if(CMSAdminConstants.OP_MODIFYANDAPPROVE.equals(op))
+ else if (CMSAdminConstants.OP_MODIFYANDAPPROVE.equals(op))
{
boolean hasWriteAccess = this.hasWriteAccess(aReq, aReq.getParameter("path"));
- if(!hasWriteAccess)
+ if (!hasWriteAccess)
{
throw new CMSException("Access to this resource is denied");
}
-
+
String modifiedContent = aReq.getParameter("elm1");
String processId = aReq.getParameter("pid");
String path = aReq.getParameter("path");
String sManager = aReq.getUser().getUserName();
-
+
try
{
//Apply this modifiedContent instead of the one published by the original author
@@ -1707,7 +1709,7 @@
aRes.setRenderParameter("op", from);
}
return;
- }
+ }
aRes.setRenderParameter("path", path);
aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE);
}
@@ -1717,13 +1719,13 @@
String language = aReq.getParameter("language");
String version = aReq.getParameter("version");
- //Perform the change in live version here
+ //Perform the change in live version here
Command makeLiveCommand = CMSService.getCommandFactory().createMakeLiveVersionCommand(path, language, version);
CMSService.execute(makeLiveCommand);
aRes.setRenderParameter("path", path);
aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE);
- }
+ }
}
else
{
@@ -1743,7 +1745,7 @@
{
if (sNavPath == null)
{
- sNavPath = "/";
+ sNavPath = SLASH;
}
Command listCMD = CMSService.getCommandFactory().createFolderGetListCommand(sNavPath);
Folder mainFolder = (Folder)CMSService.execute(listCMD);
@@ -1787,13 +1789,13 @@
(manageUsers == null || manageUsers.length == 0)
)
{
- //remove all direct permissions on this node
+ //remove all direct permissions on this node
String uri = this.authorizationManager.getProvider().getCriteriaURI("path", path);
this.authorizationManager.getProvider().removeSecurityBindings(uri);
return;
}
- //cleanup the old permissions on this node, before new ones are created
+ //cleanup the old permissions on this node, before new ones are created
String uri = this.authorizationManager.getProvider().getCriteriaURI("path", path);
this.authorizationManager.getProvider().removeSecurityBindings(uri);
@@ -1906,11 +1908,11 @@
if (portletRequest.getUserPrincipal() != null)
{
- if(portletRequest.getUserPrincipal().getName().equals(this.authorizationManager.getProvider().getRoot().getUserName()))
+ if (portletRequest.getUserPrincipal().getName().equals(this.authorizationManager.getProvider().getRoot().getUserName()))
{
return true;
}
-
+
//Not the Root User. so now make sure the Portlet is accessible to the User that is logged in
User user = this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName());
String uri = this.authorizationManager.getProvider().getUserURI(user.getUserName());
@@ -1958,7 +1960,6 @@
}
/**
- *
* @param portletRequest
* @return
*/
@@ -2065,26 +2066,26 @@
this.setApprovePublish(null);
}
}
-
+
private void filterResourceBySecurity(List resources, PortalCMSSecurityContext securityContext)
{
-
+
}
-
+
private boolean hasWriteAccess(PortletRequest request, String path)
{
boolean hasAccess = false;
-
+
User user = null;
- if(request instanceof JBossRenderRequest)
+ if (request instanceof JBossRenderRequest)
{
user = ((JBossRenderRequest)request).getUser();
}
- else if(request instanceof JBossActionRequest)
+ else if (request instanceof JBossActionRequest)
{
user = ((JBossActionRequest)request).getUser();
}
-
+
try
{
user = userModule.findUserById(user.getId());
@@ -2097,11 +2098,11 @@
PortalCMSSecurityContext securityContext = new PortalCMSSecurityContext(user);
File file = new FileImpl();
file.setBasePath(path);
- securityContext.setAttribute("command", CMSService.getCommandFactory().createFileUpdateCommand(file));
+ securityContext.setAttribute("command", CMSService.getCommandFactory().createFileUpdateCommand(file));
PortalPermission cmsPermission = new CMSPermission(securityContext);
hasAccess = this.authorizationManager.checkPermission(cmsPermission);
-
+
return hasAccess;
}
}
\ No newline at end of file
15 years, 3 months
JBoss Portal SVN: r12744 - branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin.
by portal-commits@lists.jboss.org
Author: thomas.heute(a)jboss.com
Date: 2009-01-31 06:03:32 -0500 (Sat, 31 Jan 2009)
New Revision: 12744
Modified:
branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
Log:
regex was wrong
Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
===================================================================
--- branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 08:57:18 UTC (rev 12743)
+++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 11:03:32 UTC (rev 12744)
@@ -108,7 +108,7 @@
private ApprovePublish approvePublish;
private AuthorizationManager authorizationManager;
private ResourceBundle resources = null;
- private static final Pattern CHECK_FOR_XSS_PATTERN = Pattern.compile("^[<>\\(\\)=]");
+ private static final Pattern CHECK_FOR_XSS_PATTERN = Pattern.compile("[^<>\\(\\)=]*");
private static final String SLASH = "/";
15 years, 3 months
JBoss Portal SVN: r12743 - branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin.
by portal-commits@lists.jboss.org
Author: thomas.heute(a)jboss.com
Date: 2009-01-31 03:57:18 -0500 (Sat, 31 Jan 2009)
New Revision: 12743
Modified:
branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
Log:
minor
Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
===================================================================
--- branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30 23:17:10 UTC (rev 12742)
+++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 08:57:18 UTC (rev 12743)
@@ -62,6 +62,7 @@
import org.jboss.portal.search.impl.jcr.JCRQuery;
import org.jboss.portal.search.impl.jcr.JCRQueryConverter;
import org.jboss.portal.security.PortalPermission;
+import org.jboss.portal.server.ParameterSanitizer;
import org.jboss.portal.server.request.URLContext;
import org.jboss.portal.server.request.URLFormat;
import org.jboss.portal.workflow.WorkflowException;
@@ -237,13 +238,13 @@
String sPath = rReq.getParameter("path");
if (sPath != null)
{
- sPath = ParameterValidation.sanitizeFromPattern(sPath, CHECK_FOR_XSS_PATTERN, SLASH);
+ sPath = ParameterSanitizer.sanitizeFromPattern(sPath, CHECK_FOR_XSS_PATTERN, SLASH);
}
String sNavPath = rReq.getParameter("navpath");
if (sNavPath != null)
{
- sNavPath = ParameterValidation.sanitizeFromPattern(sNavPath, CHECK_FOR_XSS_PATTERN, SLASH);
+ sNavPath = ParameterSanitizer.sanitizeFromPattern(sNavPath, CHECK_FOR_XSS_PATTERN, SLASH);
}
if (op == null)
@@ -552,7 +553,7 @@
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
String language = rReq.getParameter("language");
- ParameterValidation.sanitizeFromPattern(language, CHECK_FOR_XSS_PATTERN, "en");
+ ParameterSanitizer.sanitizeFromPattern(language, CHECK_FOR_XSS_PATTERN, "en");
rReq.setAttribute("language", language);
javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/editbinary.jsp");
prd.include(rReq, rRes);
@@ -625,7 +626,7 @@
else if (CMSAdminConstants.OP_EDIT.equals(op))
{
String sLanguage = rReq.getParameter("language");
- ParameterValidation.sanitizeFromPattern(sLanguage, CHECK_FOR_XSS_PATTERN, "en");
+ ParameterSanitizer.sanitizeFromPattern(sLanguage, CHECK_FOR_XSS_PATTERN, "en");
String sVersion = rReq.getParameter("version");
@@ -707,7 +708,7 @@
else if (CMSAdminConstants.OP_EXPORTARCHIVE_PICKUP.equals(op))
{
String sPickupFile = rReq.getParameter("filepath");
- ParameterValidation.sanitizeFromPattern(sPickupFile, CHECK_FOR_XSS_PATTERN, SLASH);
+ ParameterSanitizer.sanitizeFromPattern(sPickupFile, CHECK_FOR_XSS_PATTERN, SLASH);
rRes.setContentType("text/html");
PortletRequestDispatcher prd = null;
@@ -986,7 +987,7 @@
if (!item.isFormField())
{
String sFilename = item.getName();
- sFilename = ParameterValidation.sanitizeFromPattern(sFilename, CHECK_FOR_XSS_PATTERN, "");
+ sFilename = ParameterSanitizer.sanitizeFromPattern(sFilename, CHECK_FOR_XSS_PATTERN, "");
if (!"".equals(sFilename))
{
@@ -1050,7 +1051,7 @@
{
String fieldName = item.getFieldName();
String itemValue = item.getString(aReq.getCharacterEncoding());
- itemValue = ParameterValidation.sanitizeFromPattern(itemValue, CHECK_FOR_XSS_PATTERN, "");
+ itemValue = ParameterSanitizer.sanitizeFromPattern(itemValue, CHECK_FOR_XSS_PATTERN, "");
if ("destination".equals(fieldName))
{
sPath = itemValue;
15 years, 3 months
JBoss Portal SVN: r12742 - branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin.
by portal-commits@lists.jboss.org
Author: chris.laprun(a)jboss.com
Date: 2009-01-30 18:17:10 -0500 (Fri, 30 Jan 2009)
New Revision: 12742
Modified:
branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
Log:
- Added more sanitization of parameter values. However, I am not too familiar with CMS so I am not sure what the proper behavior should be there, or if the default values that I give won't cause side-effects of their own... :(
Modified: branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
===================================================================
--- branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30 23:16:48 UTC (rev 12741)
+++ branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30 23:17:10 UTC (rev 12742)
@@ -986,6 +986,8 @@
if (!item.isFormField())
{
String sFilename = item.getName();
+ sFilename = ParameterValidation.sanitizeFromPattern(sFilename, CHECK_FOR_XSS_PATTERN, "");
+
if (!"".equals(sFilename))
{
int backslashIndex = sFilename.lastIndexOf("\\");
@@ -1047,21 +1049,23 @@
else
{
String fieldName = item.getFieldName();
+ String itemValue = item.getString(aReq.getCharacterEncoding());
+ itemValue = ParameterValidation.sanitizeFromPattern(itemValue, CHECK_FOR_XSS_PATTERN, "");
if ("destination".equals(fieldName))
{
- sPath = item.getString(aReq.getCharacterEncoding());
+ sPath = itemValue;
}
else if ("description".equals(fieldName))
{
- sDescription = item.getString(aReq.getCharacterEncoding());
+ sDescription = itemValue;
}
else if ("title".equals(fieldName))
{
- sTitle = item.getString(aReq.getCharacterEncoding());
+ sTitle = itemValue;
}
else if ("language".equals(fieldName))
{
- sLanguage = item.getString(aReq.getCharacterEncoding());
+ sLanguage = itemValue;
}
}
}
15 years, 3 months
JBoss Portal SVN: r12741 - branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin.
by portal-commits@lists.jboss.org
Author: chris.laprun(a)jboss.com
Date: 2009-01-30 18:16:48 -0500 (Fri, 30 Jan 2009)
New Revision: 12741
Modified:
branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
Log:
- Added more sanitization of parameter values. However, I am not too familiar with CMS so I am not sure what the proper behavior should be there, or if the default values that I give won't cause side-effects of their own... :(
Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
===================================================================
--- branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30 22:45:52 UTC (rev 12740)
+++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30 23:16:48 UTC (rev 12741)
@@ -20,6 +20,7 @@
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
* 02110-1301 USA, or see the FSF site: http://www.fsf.org. *
******************************************************************************/
+
package org.jboss.portal.core.cms.ui.admin;
import org.apache.commons.fileupload.FileItem;
@@ -985,6 +986,8 @@
if (!item.isFormField())
{
String sFilename = item.getName();
+ sFilename = ParameterValidation.sanitizeFromPattern(sFilename, CHECK_FOR_XSS_PATTERN, "");
+
if (!"".equals(sFilename))
{
int backslashIndex = sFilename.lastIndexOf("\\");
@@ -1046,21 +1049,23 @@
else
{
String fieldName = item.getFieldName();
+ String itemValue = item.getString(aReq.getCharacterEncoding());
+ itemValue = ParameterValidation.sanitizeFromPattern(itemValue, CHECK_FOR_XSS_PATTERN, "");
if ("destination".equals(fieldName))
{
- sPath = item.getString(aReq.getCharacterEncoding());
+ sPath = itemValue;
}
else if ("description".equals(fieldName))
{
- sDescription = item.getString(aReq.getCharacterEncoding());
+ sDescription = itemValue;
}
else if ("title".equals(fieldName))
{
- sTitle = item.getString(aReq.getCharacterEncoding());
+ sTitle = itemValue;
}
else if ("language".equals(fieldName))
{
- sLanguage = item.getString(aReq.getCharacterEncoding());
+ sLanguage = itemValue;
}
}
}
@@ -1713,7 +1718,7 @@
String language = aReq.getParameter("language");
String version = aReq.getParameter("version");
- //Perform the change in live version here
+ //Perform the change in live version here
Command makeLiveCommand = CMSService.getCommandFactory().createMakeLiveVersionCommand(path, language, version);
CMSService.execute(makeLiveCommand);
@@ -1783,13 +1788,13 @@
(manageUsers == null || manageUsers.length == 0)
)
{
- //remove all direct permissions on this node
+ //remove all direct permissions on this node
String uri = this.authorizationManager.getProvider().getCriteriaURI("path", path);
this.authorizationManager.getProvider().removeSecurityBindings(uri);
return;
}
- //cleanup the old permissions on this node, before new ones are created
+ //cleanup the old permissions on this node, before new ones are created
String uri = this.authorizationManager.getProvider().getCriteriaURI("path", path);
this.authorizationManager.getProvider().removeSecurityBindings(uri);
15 years, 3 months