January 2009 - portal-commits - Jboss List Archives

JBoss Portal SVN: r12750 - branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin.

by portal-commits＠lists.jboss.org

Author: thomas.heute(a)jboss.com Date: 2009-01-31 11:02:41 -0500 (Sat, 31 Jan 2009) New Revision: 12750 Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java Log: update error handling Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java =================================================================== --- branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 16:02:05 UTC (rev 12749) +++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 16:02:41 UTC (rev 12750) @@ -925,19 +925,6 @@ folder.setName(sFolderName); folder.setBasePath(sNewPath); - if (!CHECK_FOR_XSS_PATTERN.matcher(sFolderName).matches() ) - { - // Invalid folder name - aRes.setRenderParameter("op", CMSAdminConstants.OP_CONFIRM_CREATE_COLLECTION_VALIDATION_ERROR); - aRes.setRenderParameter("path", aReq.getParameter("destination")); - - //used to remember the data already submitted by the user - aRes.setRenderParameter("error:message", CMSAdminConstants.CMS_FOLDERNAME_INVALID); - aRes.setRenderParameter("error:newcollectionname", aReq.getParameter("newcollectionname")); - aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription")); - return; - } - try { Command saveCMD = CMSService.getCommandFactory().createFolderSaveCommand(folder); @@ -1389,7 +1376,7 @@ String sLanguage = aReq.getParameter("language"); //Perform server side data validation - if (sFileName == null || sFileName.trim().length() == 0 || !CHECK_FOR_XSS_PATTERN.matcher(sFileName).matches() ) + if (sFileName == null || sFileName.trim().length() == 0) { //Validation Error occurred //FileName should not be empty @@ -1442,7 +1429,11 @@ Boolean bExists = null; try { - bExists = (Boolean)CMSService.execute(existsCMD); + if (!CHECK_FOR_XSS_PATTERN.matcher(content.getBasePath()).matches()) + { + throw new CMSException(content.getBasePath() + " is not a legal path element"); + } + bExists = (Boolean)CMSService.execute(existsCMD); } catch (CMSException cme) {

15 years, 3 months

1
0
0 / 0

JBoss Portal SVN: r12749 - in modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr: command and 1 other directory.

by portal-commits＠lists.jboss.org

Author: thomas.heute(a)jboss.com Date: 2009-01-31 11:02:05 -0500 (Sat, 31 Jan 2009) New Revision: 12749 Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java Log: minor Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java 2009-01-31 15:08:15 UTC (rev 12748) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java 2009-01-31 16:02:05 UTC (rev 12749) @@ -61,7 +61,7 @@ boolean isValid = NodeUtil.isValidPath(path); if (!isValid) { - throw new CMSException("Path: " + path + " is invalid."); + throw new CMSException("Path: " + path + " is not a legal path element."); } } } Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java 2009-01-31 15:08:15 UTC (rev 12748) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java 2009-01-31 16:02:05 UTC (rev 12749) @@ -94,7 +94,6 @@ String itemName = zipEntry.getName(); if(!NodeUtil.CHECK_FOR_XSS_PATTERN.matcher(itemName).matches()) { - System.out.println("******** itemName = " + itemName); log.info("Zip file: '" + itemName + "' is not a valid file name. It will be skipped."); } else @@ -104,7 +103,15 @@ } else // isDirectory { - this.addFolder(zipEntry); + String itemName = zipEntry.getName(); + if(!NodeUtil.CHECK_FOR_XSS_PATTERN.matcher(itemName).matches()) + { + log.info("Zip file: '" + itemName + "' is not a valid file name. It will be skipped."); + } + else + { + this.addFolder(zipEntry); + } } }

15 years, 3 months

1
0
0 / 0

JBoss Portal SVN: r12748 - in modules/cms/trunk/cms-jackrabbit/src: main/java/org/jboss/portal/cms/impl/jcr/command and 2 other directories.

by portal-commits＠lists.jboss.org

Author: chris.laprun(a)jboss.com Date: 2009-01-31 10:08:15 -0500 (Sat, 31 Jan 2009) New Revision: 12748 Added: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileBasedJCRCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderBasedJCRCommand.java Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/AsyncStoreArchiveCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/ContentCreateCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/CopyCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileCreateCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateAndVersionCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderCreateCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderUpdateCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/MoveCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/RenameCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/util/NodeUtil.java modules/cms/trunk/cms-jackrabbit/src/test/java/org/jboss/portal/cms/test/commands/TestFileArchiveUpload.java Log: - Synchro commit: fail early if we try to create an invalid file or path. Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/JCRCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -24,6 +24,7 @@ import org.jboss.portal.cms.CMSException; import org.jboss.portal.cms.Command; +import org.jboss.portal.cms.util.NodeUtil; import org.jboss.portal.common.invocation.InvocationContext; import java.io.Serializable; @@ -54,4 +55,13 @@ } public abstract Object execute() throws CMSException; + + protected void validatePath(String path) + { + boolean isValid = NodeUtil.isValidPath(path); + if (!isValid) + { + throw new CMSException("Path: " + path + " is invalid."); + } + } } Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/AsyncStoreArchiveCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/AsyncStoreArchiveCommand.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/AsyncStoreArchiveCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -158,8 +158,7 @@ } CMS cms = this.findCMSService(); - JCRCommand storeArchiveCommand = (JCRCommand)cms.getCommandFactory(). - createStoreArchiveCommand(msRootPath, archiveBytes, msLanguage); + JCRCommand storeArchiveCommand = (JCRCommand)cms.getCommandFactory().createStoreArchiveCommand(msRootPath, archiveBytes, msLanguage); cms.execute(storeArchiveCommand); log.info("Async Processing finished.................."); Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/ContentCreateCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/ContentCreateCommand.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/ContentCreateCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -26,7 +26,6 @@ import org.apache.jackrabbit.value.DateValue; import org.apache.jackrabbit.value.StringValue; import org.jboss.portal.cms.CMSMimeMappings; -import org.jboss.portal.cms.impl.jcr.JCRCommand; import org.jboss.portal.cms.impl.jcr.JCRCommandContext; import org.jboss.portal.cms.model.File; @@ -37,23 +36,23 @@ * @author <a href="mailto:roy@jboss.org">Roy Russo</a> * @author <a href="mailto:theute@jboss.org">Thomas Heute</a> */ -public class ContentCreateCommand extends JCRCommand +public class ContentCreateCommand extends FileBasedJCRCommand { /** The serialVersionUID */ private static final long serialVersionUID = -2843288770902185840L; - File mFile; public ContentCreateCommand(File file) { - this.mFile = file; + super(file); } public Object execute() { try { + String basePath = mFile.getBasePath(); JCRCommandContext context = (JCRCommandContext)getContext(); - Node fileNode = (Node)context.getSession().getItem(mFile.getBasePath()); + Node fileNode = (Node)context.getSession().getItem(basePath); Node contentNode = fileNode.addNode(mFile.getContent().getLocale().getLanguage(), "portalcms:content"); contentNode.setProperty("jcr:encoding", "UTF-8"); @@ -72,7 +71,7 @@ } else { - String fileExt = mFile.getBasePath().substring(mFile.getBasePath().lastIndexOf(".") + 1, mFile.getBasePath().length()); + String fileExt = basePath.substring(basePath.lastIndexOf(".") + 1, basePath.length()); CMSMimeMappings mapper = new CMSMimeMappings(); if (mapper.getMimeType(fileExt) != null) { Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/CopyCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/CopyCommand.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/CopyCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -22,8 +22,10 @@ ******************************************************************************/ package org.jboss.portal.cms.impl.jcr.command; +import org.jboss.portal.cms.CMSException; import org.jboss.portal.cms.impl.jcr.JCRCommand; import org.jboss.portal.cms.impl.jcr.util.VersionUtil; +import org.jboss.portal.cms.util.NodeUtil; import javax.jcr.Item; import javax.jcr.Node; @@ -42,6 +44,8 @@ public CopyCommand(String sFromPath, String sToPath) { + validatePath(sFromPath); + validatePath(sToPath); this.msFromPath = sFromPath; this.msToPath = sToPath; } Added: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileBasedJCRCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileBasedJCRCommand.java (rev 0) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileBasedJCRCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -0,0 +1,43 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2008, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ + +package org.jboss.portal.cms.impl.jcr.command; + +import org.jboss.portal.cms.impl.jcr.JCRCommand; +import org.jboss.portal.cms.model.File; +import org.jboss.portal.common.util.ParameterValidation; + +/** + * @author <a href="mailto:chris.laprun@jboss.com">Chris Laprun</a> + * @version $Revision$ + */ +public abstract class FileBasedJCRCommand extends JCRCommand +{ + File mFile; + + public FileBasedJCRCommand(File file) + { + ParameterValidation.throwIllegalArgExceptionIfNull(file, "file"); + validatePath(file.getBasePath()); + mFile = file; + } +} Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileCreateCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileCreateCommand.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileCreateCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -38,17 +38,15 @@ * @author <a href="mailto:roy@jboss.org">Roy Russo</a> * @author <a href="mailto:theute@jboss.org">Thomas Heute</a> */ -public class FileCreateCommand extends JCRCommand +public class FileCreateCommand extends FileBasedJCRCommand { /** The serialVersionUID */ private static final long serialVersionUID = -653823238247348749L; private static Logger log = Logger.getLogger(FileCreateCommand.class); - - File mFile; public FileCreateCommand(File file) { - this.mFile = file; + super(file); } public Object execute() @@ -56,20 +54,15 @@ try { //Validate the FilePath - boolean isValid = NodeUtil.isValidPath(mFile.getBasePath()); - if(!isValid) - { - throw new CMSException("Path: "+mFile.getBasePath()+" is invalid"); - } - - JCRCommand existsCMD = (JCRCommand)context.getCommandFactory().createItemExistsCommand(mFile.getBasePath()); + String basePath = mFile.getBasePath(); + JCRCommand existsCMD = (JCRCommand)context.getCommandFactory().createItemExistsCommand(basePath); Boolean bExists = (Boolean)context.execute(existsCMD); //If fileNode exists already, ignore the creation. if (!bExists.booleanValue()) { - String parentPath = NodeUtil.getParentPath(mFile.getBasePath()); - String nodeName = NodeUtil.getNodeName(mFile.getBasePath()); + String parentPath = NodeUtil.getParentPath(basePath); + String nodeName = NodeUtil.getNodeName(basePath); //Make sure the Path hierarchy is complete ResourceUtil.createParentHierarchy(context, parentPath); Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateAndVersionCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateAndVersionCommand.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateAndVersionCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -26,7 +26,6 @@ import org.apache.jackrabbit.value.DateValue; import org.apache.jackrabbit.value.StringValue; import org.jboss.portal.cms.CMSMimeMappings; -import org.jboss.portal.cms.impl.jcr.JCRCommand; import org.jboss.portal.cms.impl.jcr.util.VersionUtil; import org.jboss.portal.cms.model.File; @@ -34,11 +33,10 @@ import java.util.Calendar; /** @author <a href="mailto:roy@jboss.org">Roy Russo</a> */ -public class FileUpdateAndVersionCommand extends JCRCommand +public class FileUpdateAndVersionCommand extends FileBasedJCRCommand { /** The serialVersionUID */ private static final long serialVersionUID = 882238623005109537L; - File mFile; boolean bMakeLive; /** @@ -48,7 +46,7 @@ */ public FileUpdateAndVersionCommand(File file, boolean makeLive) { - this.mFile = file; + super(file); this.bMakeLive = makeLive; } @@ -70,13 +68,14 @@ contentNode.setProperty("portalcms:size", new StringValue(String .valueOf(mFile.getContent().getBytes().length))); + String basePath = mFile.getBasePath(); if (mFile.getContent().getMimeType() != null) { contentNode.setProperty("jcr:mimeType", mFile.getContent().getMimeType()); } else { - String fileExt = mFile.getBasePath().substring(mFile.getBasePath().lastIndexOf(".") + 1, mFile.getBasePath().length()); + String fileExt = basePath.substring(basePath.lastIndexOf(".") + 1, basePath.length()); CMSMimeMappings mapper = new CMSMimeMappings(); if (mapper.getMimeType(fileExt) != null) { @@ -93,7 +92,7 @@ VersionUtil.createVersion(versionNode, this.bMakeLive); //Update the lastModified Property of the FileNode of this content - Node fileNode = (Node)context.getSession().getItem(mFile.getBasePath()); + Node fileNode = (Node)context.getSession().getItem(basePath); fileNode.setProperty("jcr:lastModified", timestamp); // Update the folder modified date Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateCommand.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FileUpdateCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -26,7 +26,6 @@ import org.apache.jackrabbit.value.DateValue; import org.apache.jackrabbit.value.StringValue; import org.jboss.portal.cms.CMSMimeMappings; -import org.jboss.portal.cms.impl.jcr.JCRCommand; import org.jboss.portal.cms.model.File; import javax.jcr.Node; @@ -34,12 +33,10 @@ import java.util.Calendar; /** @author <a href="mailto:roy@jboss.org">Roy Russo</a> */ -public class FileUpdateCommand extends JCRCommand +public class FileUpdateCommand extends FileBasedJCRCommand { /** The serialVersionUID */ private static final long serialVersionUID = 882238623005109537L; - File mFile; - boolean bMakeLive; /** * Updates a given file content in the repo, creating a new version. @@ -48,7 +45,7 @@ */ public FileUpdateCommand(File file) { - this.mFile = file; + super(file); } public Object execute() @@ -69,13 +66,14 @@ contentNode.setProperty("portalcms:size", new StringValue(String .valueOf(mFile.getContent().getBytes().length))); + String basePath = mFile.getBasePath(); if (mFile.getContent().getMimeType() != null) { contentNode.setProperty("jcr:mimeType", mFile.getContent().getMimeType()); } else { - String fileExt = mFile.getBasePath().substring(mFile.getBasePath().lastIndexOf(".") + 1, mFile.getBasePath().length()); + String fileExt = basePath.substring(basePath.lastIndexOf(".") + 1, basePath.length()); CMSMimeMappings mapper = new CMSMimeMappings(); if (mapper.getMimeType(fileExt) != null) { @@ -88,7 +86,7 @@ } //Update the lastModified Property of the FileNode of this content - Node fileNode = (Node)context.getSession().getItem(mFile.getBasePath()); + Node fileNode = (Node)context.getSession().getItem(basePath); fileNode.setProperty("jcr:lastModified", timestamp); // Update the folder modified date Added: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderBasedJCRCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderBasedJCRCommand.java (rev 0) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderBasedJCRCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -0,0 +1,43 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2008, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ + +package org.jboss.portal.cms.impl.jcr.command; + +import org.jboss.portal.cms.impl.jcr.JCRCommand; +import org.jboss.portal.cms.model.Folder; +import org.jboss.portal.common.util.ParameterValidation; + +/** + * @author <a href="mailto:chris.laprun@jboss.com">Chris Laprun</a> + * @version $Revision$ + */ +public abstract class FolderBasedJCRCommand extends JCRCommand +{ + Folder mFolder; + + public FolderBasedJCRCommand(Folder folder) + { + ParameterValidation.throwIllegalArgExceptionIfNull(folder, "folder"); + validatePath(folder.getBasePath()); + mFolder = folder; + } +} Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderCreateCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderCreateCommand.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderCreateCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -40,33 +40,25 @@ * @author <a href="mailto:roy@jboss.org">Roy Russo</a> * @author <a href="mailto:theute@jboss.org">Thomas Heute</a> */ -public class FolderCreateCommand extends JCRCommand +public class FolderCreateCommand extends FolderBasedJCRCommand { /** The serialVersionUID */ private static final long serialVersionUID = -3007711915681479942L; private static Logger log = Logger.getLogger(FolderCreateCommand.class); - - Folder mFolder; public FolderCreateCommand(Folder folder) { - this.mFolder = folder; + super(folder); } public Object execute() { try { - //Validate the FolderPath - boolean isValid = NodeUtil.isValidPath(mFolder.getBasePath()); - if(!isValid) - { - throw new CMSException("Path: "+mFolder.getBasePath()+" is invalid"); - } + String basePath = mFolder.getBasePath(); + String parentPath = NodeUtil.getParentPath(basePath); + String nodeName = NodeUtil.getNodeName(basePath); - String parentPath = NodeUtil.getParentPath(mFolder.getBasePath()); - String nodeName = NodeUtil.getNodeName(mFolder.getBasePath()); - //Make sure the Path hierarchy is complete ResourceUtil.createParentHierarchy(context, parentPath); Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderUpdateCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderUpdateCommand.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/FolderUpdateCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -31,16 +31,14 @@ import java.util.Calendar; /** @author <a href="mailto:roy@jboss.org">Roy Russo</a> */ -public class FolderUpdateCommand extends JCRCommand +public class FolderUpdateCommand extends FolderBasedJCRCommand { /** The serialVersionUID */ private static final long serialVersionUID = 6606462970577037966L; - Folder mFolder; - public FolderUpdateCommand(Folder folder) { - this.mFolder = folder; + super(folder); } public Object execute() Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/MoveCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/MoveCommand.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/MoveCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -36,6 +36,8 @@ public MoveCommand(String sFromPath, String sToPath) { + validatePath(sFromPath); + validatePath(sToPath); this.msFromPath = sFromPath; this.msToPath = sToPath; } Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/RenameCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/RenameCommand.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/RenameCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -37,6 +37,7 @@ public RenameCommand(String sPath, String sNewName) { + validatePath(sNewName); this.msPath = sPath; this.msNewName = sNewName; } Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/impl/jcr/command/StoreArchiveCommand.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -43,6 +43,7 @@ import java.util.Enumeration; import java.util.Locale; import java.util.StringTokenizer; +import java.util.regex.Pattern; /** * Saves an uploaded archive to the repo. @@ -62,7 +63,6 @@ /** * @param sRootPath - * @param is * @param sLanguage */ public StoreArchiveCommand(String sRootPath, byte[] archiveBytes, String sLanguage) @@ -88,10 +88,19 @@ while (entries.hasMoreElements()) { zipEntry = (ZipEntry)entries.nextElement(); - String itemName = zipEntry.getName(); + if (!zipEntry.isDirectory()) { - this.addFile(zipFile, zipEntry); + String itemName = zipEntry.getName(); + if(!NodeUtil.CHECK_FOR_XSS_PATTERN.matcher(itemName).matches()) + { + System.out.println("******** itemName = " + itemName); + log.info("Zip file: '" + itemName + "' is not a valid file name. It will be skipped."); + } + else + { + this.addFile(zipFile, zipEntry); + } } else // isDirectory { Modified: modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/util/NodeUtil.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/util/NodeUtil.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/main/java/org/jboss/portal/cms/util/NodeUtil.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -25,6 +25,7 @@ import javax.jcr.Node; import javax.jcr.Property; import javax.jcr.PropertyIterator; +import java.util.regex.Pattern; /** * Helper class for dealing with Nodes. Similar to common file utility functions, for now @@ -34,6 +35,7 @@ public class NodeUtil { public static final String PATH_SEPARATOR = "/"; + public static final Pattern CHECK_FOR_XSS_PATTERN = Pattern.compile("[^<>\\\$\\\$=]*"); /** * Returns the parent basePath of the Node. @@ -91,15 +93,12 @@ */ public static boolean isValidPath(String sPath) { - if ((sPath == null) || - (sPath.equals(PATH_SEPARATOR)) || - (sPath.endsWith(PATH_SEPARATOR)) || - (!sPath.startsWith(PATH_SEPARATOR)) || - (sPath.equals(""))) - { - return false; - } - return true; + return sPath != null && + !sPath.equals(PATH_SEPARATOR) && + !sPath.endsWith(PATH_SEPARATOR) && + sPath.startsWith(PATH_SEPARATOR) && + !sPath.equals("") && + CHECK_FOR_XSS_PATTERN.matcher(sPath).matches(); } /** Modified: modules/cms/trunk/cms-jackrabbit/src/test/java/org/jboss/portal/cms/test/commands/TestFileArchiveUpload.java =================================================================== --- modules/cms/trunk/cms-jackrabbit/src/test/java/org/jboss/portal/cms/test/commands/TestFileArchiveUpload.java 2009-01-31 13:47:10 UTC (rev 12747) +++ modules/cms/trunk/cms-jackrabbit/src/test/java/org/jboss/portal/cms/test/commands/TestFileArchiveUpload.java 2009-01-31 15:08:15 UTC (rev 12748) @@ -63,22 +63,47 @@ public void testArchiveUpload() throws CMSException, IOException { //create archive - this.runArchive(); + this.runArchive(this.sZipFile); this.assertArchiveUploadCreate(); //update archive - this.runArchive(); + this.runArchive(this.sZipFile); this.assertArchiveUploadUpdate(); - } + + @Test + public void testBadArchiveUpload() throws IOException + { + this.runArchive("jcr/bad_cms.zip"); + + Command listCMD = service.getCommandFactory().createFolderGetListCommand("/"); + Folder whopper = (Folder)service.execute(listCMD); + List folders = whopper.getFolders(); + List files = whopper.getFiles(); + assertEquals("Folder Size incorrect", folders.size(), 0); + assertEquals("File Size incorrect", files.size(), 0); + } + + @Test + public void testInternationalUpload() throws IOException + { + this.runArchive("jcr/prueba.zip"); + + Command listCMD = service.getCommandFactory().createFolderGetListCommand("/prueba"); + Folder whopper = (Folder)service.execute(listCMD); + List folders = whopper.getFolders(); + List files = whopper.getFiles(); + assertEquals("Folder Size incorrect", folders.size(), 0); + assertEquals("File Size incorrect", files.size(), 2); + } - private void runArchive() throws IOException + private void runArchive(String sZipFile) throws IOException { service.setDefaultLocale(Locale.ENGLISH.getLanguage()); InputStream is = null; try { - is = IOTools.safeBufferedWrapper(Thread.currentThread().getContextClassLoader().getResourceAsStream(this.sZipFile)); + is = IOTools.safeBufferedWrapper(Thread.currentThread().getContextClassLoader().getResourceAsStream(sZipFile)); byte[] archiveBytes = IOTools.getBytes(is); Command storearchiveCMD = service.getCommandFactory().createStoreArchiveCommand("", archiveBytes, "en"); service.execute(storearchiveCMD);

15 years, 3 months

1
0
0 / 0

JBoss Portal SVN: r12747 - in tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src: resources/portal-cms-war/WEB-INF/classes and 1 other directory.

by portal-commits＠lists.jboss.org

Author: thomas.heute(a)jboss.com Date: 2009-01-31 08:47:10 -0500 (Sat, 31 Jan 2009) New Revision: 12747 Modified: tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties Log: Forbid filenames and folders with < > ( ) Modified: tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java =================================================================== --- tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 13:44:17 UTC (rev 12746) +++ tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 13:47:10 UTC (rev 12747) @@ -925,6 +925,19 @@ folder.setName(sFolderName); folder.setBasePath(sNewPath); + if (!CHECK_FOR_XSS_PATTERN.matcher(sFolderName).matches() ) + { + // Invalid folder name + aRes.setRenderParameter("op", CMSAdminConstants.OP_CONFIRM_CREATE_COLLECTION_VALIDATION_ERROR); + aRes.setRenderParameter("path", aReq.getParameter("destination")); + + //used to remember the data already submitted by the user + aRes.setRenderParameter("error:message", CMSAdminConstants.CMS_FOLDERNAME_INVALID); + aRes.setRenderParameter("error:newcollectionname", aReq.getParameter("newcollectionname")); + aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription")); + return; + } + try { Command saveCMD = CMSService.getCommandFactory().createFolderSaveCommand(folder); @@ -1376,7 +1389,7 @@ String sLanguage = aReq.getParameter("language"); //Perform server side data validation - if (sFileName == null || sFileName.trim().length() == 0) + if (sFileName == null || sFileName.trim().length() == 0 || !CHECK_FOR_XSS_PATTERN.matcher(sFileName).matches() ) { //Validation Error occurred //FileName should not be empty @@ -1485,7 +1498,7 @@ sMakeLive = "on"; } - if (!"".equals(sFilePath)) + if (!"".equals(sFilePath) && !CHECK_FOR_XSS_PATTERN.matcher(sFilePath).matches()) { String sContent = aReq.getParameter("elm1"); Modified: tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties =================================================================== --- tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties 2009-01-31 13:44:17 UTC (rev 12746) +++ tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties 2009-01-31 13:47:10 UTC (rev 12747) @@ -141,8 +141,8 @@ CMS_MISSING_DOCUMENT=404 - Page Not Found CMS_MISSING_DOCUMENT_DESCRIPTION=The document you tried to access is not available -CMS_FILENAME_INVALID=File Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '|' or any whitespace character. -CMS_FOLDERNAME_INVALID=Folder Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '|' or any whitespace character. +CMS_FILENAME_INVALID=File Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' or any whitespace character. +CMS_FOLDERNAME_INVALID=Folder Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' or any whitespace character. CMS_MSG_DESTINATION_ALREADY_EXISTS=The command was not performed, because the destination already exists. CMS_CANT_MOVE_SAME_DESTINATION=You cannot move a folder to the same location Modified: tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties =================================================================== --- tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties 2009-01-31 13:44:17 UTC (rev 12746) +++ tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties 2009-01-31 13:47:10 UTC (rev 12747) @@ -140,8 +140,8 @@ CMS_MISSING_DOCUMENT=404 - Pagina non trovata CMS_MISSING_DOCUMENT_DESCRIPTION=Il documento a cui hai tentato di accedere non \u00e8 disponibile -CMS_FILENAME_INVALID=Il nome del File non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '|' o lo spazio. -CMS_FOLDERNAME_INVALID=Il nome della cartella non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '|' o lo spazio. +CMS_FILENAME_INVALID=Il nome del File non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' o lo spazio. +CMS_FOLDERNAME_INVALID=Il nome della cartella non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' o lo spazio. CMS_MSG_DESTINATION_ALREADY_EXISTS=Il comando non pu\u00F2 essere eseguito, perch\u00e8 la destinazione esiste gi\u00e0. CMS_CANT_MOVE_SAME_DESTINATION=Non puoi spostare la cartella nella stessa destinazione Modified: tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties =================================================================== --- tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties 2009-01-31 13:44:17 UTC (rev 12746) +++ tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties 2009-01-31 13:47:10 UTC (rev 12747) @@ -143,8 +143,8 @@ CMS_MISSING_DOCUMENT=404 - \u30da\u30fc\u30b8\u304c\u898b\u3064\u304b\u308a\u307e\u305b\u3093 CMS_MISSING_DOCUMENT_DESCRIPTION=\u3042\u306a\u305f\u304c\u30a2\u30af\u30bb\u30b9\u3057\u3088\u3046\u3068\u3057\u305f\u6587\u66f8\u306f\u5229\u7528\u3067\u304d\u307e\u305b\u3093\u3002 -CMS_FILENAME_INVALID=\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002 -CMS_FOLDERNAME_INVALID=\u30d5\u30a9\u30eb\u30c0\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002 +CMS_FILENAME_INVALID=\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002 +CMS_FOLDERNAME_INVALID=\u30d5\u30a9\u30eb\u30c0\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002 CMS_MSG_DESTINATION_ALREADY_EXISTS=\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u5b9f\u884c\u3055\u308c\u307e\u305b\u3093\u3067\u3057\u305f\u3002 CMS_CANT_MOVE_SAME_DESTINATION=\u540c\u3058\u30d5\u30a9\u30eb\u30c0\u306b\u30d5\u30a1\u30a4\u30eb\u3092\u79fb\u52d5\u3059\u308b\u3053\u3068\u306f\u3067\u304d\u307e\u305b\u3093\u3002

15 years, 3 months

1
0
0 / 0

JBoss Portal SVN: r12746 - in branches/Enterprise_Portal_Platform_4_3/core-cms/src: resources/portal-cms-war/WEB-INF/classes and 1 other directory.

by portal-commits＠lists.jboss.org

Author: thomas.heute(a)jboss.com Date: 2009-01-31 08:44:17 -0500 (Sat, 31 Jan 2009) New Revision: 12746 Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties Log: Forbid filenames and folders with < > ( ) Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java =================================================================== --- branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 11:07:13 UTC (rev 12745) +++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 13:44:17 UTC (rev 12746) @@ -925,6 +925,19 @@ folder.setName(sFolderName); folder.setBasePath(sNewPath); + if (!CHECK_FOR_XSS_PATTERN.matcher(sFolderName).matches() ) + { + // Invalid folder name + aRes.setRenderParameter("op", CMSAdminConstants.OP_CONFIRM_CREATE_COLLECTION_VALIDATION_ERROR); + aRes.setRenderParameter("path", aReq.getParameter("destination")); + + //used to remember the data already submitted by the user + aRes.setRenderParameter("error:message", CMSAdminConstants.CMS_FOLDERNAME_INVALID); + aRes.setRenderParameter("error:newcollectionname", aReq.getParameter("newcollectionname")); + aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription")); + return; + } + try { Command saveCMD = CMSService.getCommandFactory().createFolderSaveCommand(folder); @@ -1376,7 +1389,7 @@ String sLanguage = aReq.getParameter("language"); //Perform server side data validation - if (sFileName == null || sFileName.trim().length() == 0) + if (sFileName == null || sFileName.trim().length() == 0 || !CHECK_FOR_XSS_PATTERN.matcher(sFileName).matches() ) { //Validation Error occurred //FileName should not be empty @@ -1485,7 +1498,7 @@ sMakeLive = "on"; } - if (!"".equals(sFilePath)) + if (!"".equals(sFilePath) && !CHECK_FOR_XSS_PATTERN.matcher(sFilePath).matches()) { String sContent = aReq.getParameter("elm1"); Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties =================================================================== --- branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties 2009-01-31 11:07:13 UTC (rev 12745) +++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource.properties 2009-01-31 13:44:17 UTC (rev 12746) @@ -141,8 +141,8 @@ CMS_MISSING_DOCUMENT=404 - Page Not Found CMS_MISSING_DOCUMENT_DESCRIPTION=The document you tried to access is not available -CMS_FILENAME_INVALID=File Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '|' or any whitespace character. -CMS_FOLDERNAME_INVALID=Folder Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '|' or any whitespace character. +CMS_FILENAME_INVALID=File Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' or any whitespace character. +CMS_FOLDERNAME_INVALID=Folder Name is invalid. It may not contain illegal characters such as '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' or any whitespace character. CMS_MSG_DESTINATION_ALREADY_EXISTS=The command was not performed, because the destination already exists. CMS_CANT_MOVE_SAME_DESTINATION=You cannot move a folder to the same location Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties =================================================================== --- branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties 2009-01-31 11:07:13 UTC (rev 12745) +++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_it.properties 2009-01-31 13:44:17 UTC (rev 12746) @@ -140,8 +140,8 @@ CMS_MISSING_DOCUMENT=404 - Pagina non trovata CMS_MISSING_DOCUMENT_DESCRIPTION=Il documento a cui hai tentato di accedere non \u00e8 disponibile -CMS_FILENAME_INVALID=Il nome del File non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '|' o lo spazio. -CMS_FOLDERNAME_INVALID=Il nome della cartella non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '|' o lo spazio. +CMS_FILENAME_INVALID=Il nome del File non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' o lo spazio. +CMS_FOLDERNAME_INVALID=Il nome della cartella non \u00e8 valido. Non sono permessi caratteri quali '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|' o lo spazio. CMS_MSG_DESTINATION_ALREADY_EXISTS=Il comando non pu\u00F2 essere eseguito, perch\u00e8 la destinazione esiste gi\u00e0. CMS_CANT_MOVE_SAME_DESTINATION=Non puoi spostare la cartella nella stessa destinazione Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties =================================================================== --- branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties 2009-01-31 11:07:13 UTC (rev 12745) +++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/resources/portal-cms-war/WEB-INF/classes/Resource_ja.properties 2009-01-31 13:44:17 UTC (rev 12746) @@ -143,8 +143,8 @@ CMS_MISSING_DOCUMENT=404 - \u30da\u30fc\u30b8\u304c\u898b\u3064\u304b\u308a\u307e\u305b\u3093 CMS_MISSING_DOCUMENT_DESCRIPTION=\u3042\u306a\u305f\u304c\u30a2\u30af\u30bb\u30b9\u3057\u3088\u3046\u3068\u3057\u305f\u6587\u66f8\u306f\u5229\u7528\u3067\u304d\u307e\u305b\u3093\u3002 -CMS_FILENAME_INVALID=\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002 -CMS_FOLDERNAME_INVALID=\u30d5\u30a9\u30eb\u30c0\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002 +CMS_FILENAME_INVALID=\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002 +CMS_FOLDERNAME_INVALID=\u30d5\u30a9\u30eb\u30c0\u540d\u304c\u7121\u52b9\u3067\u3059\u3002\u7121\u52b9\u306a\u6587\u5b57\u5217\uff08 '.', '/', ':', '[', ']', '*', ''', '"', '>', ,'<', '(', ')', '|'\uff09\u3084\u30b9\u30da\u30fc\u30b9\u304c\u4f7f\u308f\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002 CMS_MSG_DESTINATION_ALREADY_EXISTS=\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u5b9f\u884c\u3055\u308c\u307e\u305b\u3093\u3067\u3057\u305f\u3002 CMS_CANT_MOVE_SAME_DESTINATION=\u540c\u3058\u30d5\u30a9\u30eb\u30c0\u306b\u30d5\u30a1\u30a4\u30eb\u3092\u79fb\u52d5\u3059\u308b\u3053\u3068\u306f\u3067\u304d\u307e\u305b\u3093\u3002

15 years, 3 months

1
0
0 / 0

JBoss Portal SVN: r12745 - tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin.

by portal-commits＠lists.jboss.org

Author: thomas.heute(a)jboss.com Date: 2009-01-31 06:07:13 -0500 (Sat, 31 Jan 2009) New Revision: 12745 Modified: tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java Log: Merging from branch. Should fail on XSS attempts (would require proper error handling) Requires intensive testing on CMS admin :-/ Modified: tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java =================================================================== --- tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 11:03:32 UTC (rev 12744) +++ tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 11:07:13 UTC (rev 12745) @@ -1,6 +1,6 @@ /****************************************************************************** * JBoss, a division of Red Hat * - * Copyright 2006, Red Hat Middleware, LLC, and individual * + * Copyright 2009, Red Hat Middleware, LLC, and individual * * contributors as indicated by the @authors tag. See the * * copyright.txt in the distribution for a full listing of * * individual contributors. * @@ -20,6 +20,7 @@ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * ******************************************************************************/ + package org.jboss.portal.core.cms.ui.admin; import org.apache.commons.fileupload.FileItem; @@ -32,6 +33,7 @@ import org.jboss.portal.cms.impl.ContentImpl; import org.jboss.portal.cms.impl.FileImpl; import org.jboss.portal.cms.impl.FolderImpl; +import org.jboss.portal.cms.impl.jcr.JCRCMS; import org.jboss.portal.cms.model.Content; import org.jboss.portal.cms.model.File; import org.jboss.portal.cms.model.Folder; @@ -44,9 +46,9 @@ import org.jboss.portal.cms.util.NodeUtil; import org.jboss.portal.cms.workflow.ApprovePublish; import org.jboss.portal.cms.workflow.CMSWorkflowUtil; -import org.jboss.portal.cms.impl.jcr.JCRCMS; +import org.jboss.portal.common.util.ParameterValidation; +import org.jboss.portal.core.cms.command.StreamContentCommand; import org.jboss.portal.core.cms.ui.Util; -import org.jboss.portal.core.cms.command.StreamContentCommand; import org.jboss.portal.core.controller.ControllerContext; import org.jboss.portal.identity.AnonymousRole; import org.jboss.portal.identity.IdentityException; @@ -60,6 +62,7 @@ import org.jboss.portal.search.impl.jcr.JCRQuery; import org.jboss.portal.search.impl.jcr.JCRQueryConverter; import org.jboss.portal.security.PortalPermission; +import org.jboss.portal.server.ParameterSanitizer; import org.jboss.portal.server.request.URLContext; import org.jboss.portal.server.request.URLFormat; import org.jboss.portal.workflow.WorkflowException; @@ -77,7 +80,8 @@ import javax.portlet.PortletSession; import javax.portlet.UnavailableException; import java.io.IOException; -import java.io.InputStream; +import java.text.Format; +import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.Collection; import java.util.Date; @@ -85,11 +89,10 @@ import java.util.Iterator; import java.util.List; import java.util.Locale; +import java.util.ResourceBundle; import java.util.Set; import java.util.Vector; -import java.util.ResourceBundle; -import java.text.SimpleDateFormat; -import java.text.Format; +import java.util.regex.Pattern; /** * @author <a href="mailto:roy@jboss.org">Roy Russo</a> @@ -105,6 +108,8 @@ private ApprovePublish approvePublish; private AuthorizationManager authorizationManager; private ResourceBundle resources = null; + private static final Pattern CHECK_FOR_XSS_PATTERN = Pattern.compile("[^<>\$\$=]*"); + private static final String SLASH = "/"; public void init() throws PortletException @@ -136,22 +141,22 @@ throw new PortletException("Authorization Service not found"); } - this.initializeApprovePublishWorkflow(); + this.initializeApprovePublishWorkflow(); } - + /** - * + * */ public void init(PortletConfig config) throws PortletException { super.init(config); - + //Get the Resource Bundle for this Portlet this.resources = config.getResourceBundle(Locale.getDefault()); } /** - * + * */ protected void doView(final JBossRenderRequest rReq, final JBossRenderResponse rRes) throws PortletException, IOException, UnavailableException @@ -161,8 +166,8 @@ String datePattern = bundle.getString(CMSAdminConstants.CMS_DATE_PATTERN); Format dateFormat = new SimpleDateFormat(datePattern, rReq.getLocale()); rReq.setAttribute(CMSAdminConstants.DATE_FORMAT, dateFormat); - - + + //check and make sure the CMSAdminPortlet is accessible to the current user if (!this.isPortletAccessible(rReq)) { @@ -202,38 +207,46 @@ { throw new PortletException(e); } - } + } } - - /** - * - * @param renderResponse - * @throws IOException - */ + + /** @throws IOException */ private void showAccessDeniedScreen(JBossRenderRequest rReq, JBossRenderResponse rRes) throws IOException, PortletException { - try - { - String sPath = rReq.getParameter("path"); - String sOp = rReq.getParameter("returnOp"); - - - rRes.setContentType("text/html"); - rReq.setAttribute("path", sPath); - rReq.setAttribute("returnOp", sOp); - javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/accessdenied.jsp"); - prd.include(rReq, rRes); - } - catch(Exception e) - { - throw new PortletException(e); - } + try + { + String sPath = rReq.getParameter("path"); + String sOp = rReq.getParameter("returnOp"); + + + rRes.setContentType("text/html"); + rReq.setAttribute("path", sPath); + rReq.setAttribute("returnOp", sOp); + javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/accessdenied.jsp"); + prd.include(rReq, rRes); + } + catch (Exception e) + { + throw new PortletException(e); + } } private void internalDoView(JBossRenderRequest rReq, JBossRenderResponse rRes) throws CMSException, PortletException, IOException { String op = rReq.getParameter("op"); + String sPath = rReq.getParameter("path"); + if (sPath != null) + { + sPath = ParameterSanitizer.sanitizeFromPattern(sPath, CHECK_FOR_XSS_PATTERN, SLASH); + } + + String sNavPath = rReq.getParameter("navpath"); + if (sNavPath != null) + { + sNavPath = ParameterSanitizer.sanitizeFromPattern(sNavPath, CHECK_FOR_XSS_PATTERN, SLASH); + } + if (op == null) { op = CMSAdminConstants.OP_MAIN; @@ -241,21 +254,19 @@ if (CMSAdminConstants.OP_MAIN.equals(op)) // list page. { - String sPath = rReq.getParameter("path"); if (sPath == null) { - sPath = "/"; + sPath = SLASH; } - - + JCRCMS.enableUISecurityFilter(); Command listCMD = CMSService.getCommandFactory().createFolderGetListCommand(sPath); Folder mainFolder = (Folder)CMSService.execute(listCMD); - + List folders = new ArrayList(); List files = new ArrayList(); - - if(mainFolder != null) + + if (mainFolder != null) { folders = mainFolder.getFolders(); files = mainFolder.getFiles(); @@ -263,15 +274,15 @@ else { Object messages = rReq.getPortletSession().getAttribute("messages"); - if(messages == null) + if (messages == null) { messages = new ArrayList(); rReq.getPortletSession().setAttribute("messages", messages); } - + ((List)messages).add(this.resources.getObject("CMS_MISSING_RESOURCE")); } - + JCRCMS.disableUISecurityFilter(); rRes.setContentType("text/html"); @@ -290,13 +301,13 @@ { rReq.setAttribute("manageWorkflowAccessible", new Boolean(false)); } - + //Messages - if(rReq.getPortletSession().getAttribute("messages") != null) + if (rReq.getPortletSession().getAttribute("messages") != null) { Object messages = rReq.getPortletSession().getAttribute("messages"); rReq.getPortletSession().removeAttribute("messages"); - + rReq.setAttribute("messages", messages); } @@ -307,42 +318,42 @@ { try { - String sNavPath = rReq.getParameter("navpath"); - List folders = this.getFolderList(sNavPath); - if((folders == null || folders.isEmpty()) && - (sNavPath != null && !sNavPath.equals("/"))) + if ((folders == null || folders.isEmpty()) && + (sNavPath != null && !sNavPath.equals(SLASH))) { sNavPath = NodeUtil.getParentPath(sNavPath); folders = this.getFolderList(sNavPath); } - + rReq.setAttribute("folders", folders); rRes.setContentType("text/html"); rReq.setAttribute("navpath", sNavPath); - - String sPath = rReq.getParameter("path"); + rRes.setContentType("text/html"); rReq.setAttribute("createpath", sPath); - - if (rReq.getParameter("error:message") != null) + + String parameter = rReq.getParameter("error:message"); + if (parameter != null) { - rReq.setAttribute("error:message", rReq.getParameter("error:message")); + rReq.setAttribute("error:message", parameter); } - if (rReq.getParameter("error:newcollectionname") != null) + parameter = rReq.getParameter("error:newcollectionname"); + if (parameter != null) { - rReq.setAttribute("error:newcollectionname", rReq.getParameter("error:newcollectionname")); + rReq.setAttribute("error:newcollectionname", parameter); } - if (rReq.getParameter("error:newcollectiondescription") != null) + parameter = rReq.getParameter("error:newcollectiondescription"); + if (parameter != null) { - rReq.setAttribute("error:newcollectiondescription", rReq.getParameter("error:newcollectiondescription")); + rReq.setAttribute("error:newcollectiondescription", parameter); } - - + + javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/confirmcreatecollection.jsp"); prd.include(rReq, rRes); } - catch(Exception e) + catch (Exception e) { throw new PortletException(e); } @@ -351,17 +362,15 @@ { try { - String sPath = rReq.getParameter("path"); - String sNavPath = rReq.getParameter("navpath"); - + List folders = this.getFolderList(sNavPath); - if((folders == null || folders.isEmpty()) && - (sNavPath != null && !sNavPath.equals("/"))) + if ((folders == null || folders.isEmpty()) && + (sNavPath != null && !sNavPath.equals(SLASH))) { sNavPath = NodeUtil.getParentPath(sNavPath); folders = this.getFolderList(sNavPath); } - + rReq.setAttribute("folders", folders); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); @@ -370,15 +379,13 @@ javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/upload.jsp"); prd.include(rReq, rRes); } - catch(Exception e) + catch (Exception e) { throw new PortletException(e); } } else if (CMSAdminConstants.OP_VIEWFILE.equals(op)) { - String sPath = rReq.getParameter("path"); - Command fileGetList = CMSService.getCommandFactory().createFileGetListCommand(sPath); List contentList = (List)CMSService.execute(fileGetList); @@ -459,17 +466,15 @@ { try { - String sPath = rReq.getParameter("path"); - String sNavPath = rReq.getParameter("navpath"); - + List folders = this.getFolderList(sNavPath); - if((folders == null || folders.isEmpty()) && - (sNavPath != null && !sNavPath.equals("/"))) + if ((folders == null || folders.isEmpty()) && + (sNavPath != null && !sNavPath.equals(SLASH))) { sNavPath = NodeUtil.getParentPath(sNavPath); folders = this.getFolderList(sNavPath); } - + rReq.setAttribute("folders", folders); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); @@ -477,7 +482,7 @@ javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/uploadarchive.jsp"); prd.include(rReq, rRes); } - catch(Exception e) + catch (Exception e) { throw new PortletException(e); } @@ -486,18 +491,16 @@ { try { - String sPath = rReq.getParameter("path"); - String sNavPath = rReq.getParameter("navpath"); String sType = rReq.getParameter("type"); - + List folders = this.getFolderList(sNavPath); - if((folders == null || folders.isEmpty()) && - (sNavPath != null && !sNavPath.equals("/"))) + if ((folders == null || folders.isEmpty()) && + (sNavPath != null && !sNavPath.equals(SLASH))) { sNavPath = NodeUtil.getParentPath(sNavPath); folders = this.getFolderList(sNavPath); } - + rReq.setAttribute("folders", folders); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); @@ -506,7 +509,7 @@ javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/confirmcopy.jsp"); prd.include(rReq, rRes); } - catch(Exception e) + catch (Exception e) { throw new PortletException(e); } @@ -515,18 +518,16 @@ { try { - String sPath = rReq.getParameter("path"); - String sNavPath = rReq.getParameter("navpath"); String sType = rReq.getParameter("type"); - + List folders = this.getFolderList(sNavPath); - if((folders == null || folders.isEmpty()) && - (sNavPath != null && !sNavPath.equals("/"))) + if ((folders == null || folders.isEmpty()) && + (sNavPath != null && !sNavPath.equals(SLASH))) { sNavPath = NodeUtil.getParentPath(sNavPath); folders = this.getFolderList(sNavPath); } - + rReq.setAttribute("folders", folders); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); @@ -535,14 +536,13 @@ javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/confirmmove.jsp"); prd.include(rReq, rRes); } - catch(Exception e) + catch (Exception e) { throw new PortletException(e); } } else if (CMSAdminConstants.OP_CONFIRMDELETE.equals(op)) { - String sPath = rReq.getParameter("path"); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/confirmdelete.jsp"); @@ -550,18 +550,16 @@ } else if (CMSAdminConstants.OP_EDIT_BINARY.equals(op)) { - String sPath = rReq.getParameter("path"); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); - rReq.setAttribute("language", rReq.getParameter("language")); + String language = rReq.getParameter("language"); + ParameterSanitizer.sanitizeFromPattern(language, CHECK_FOR_XSS_PATTERN, "en"); + rReq.setAttribute("language", language); javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/editbinary.jsp"); prd.include(rReq, rRes); } - else - if (CMSAdminConstants.OP_CREATENEWTEXT.equals(op) || CMSAdminConstants.OP_CREATEFILE_VALIDATION_ERROR.equals(op)) + else if (CMSAdminConstants.OP_CREATENEWTEXT.equals(op) || CMSAdminConstants.OP_CREATEFILE_VALIDATION_ERROR.equals(op)) { - String sPath = rReq.getParameter("path"); - // get Base for editor StringBuffer sbUrl = new StringBuffer(); sbUrl.append(rReq.getScheme()); @@ -588,32 +586,38 @@ rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); - rReq.setAttribute("document_base_url", sbUrl.toString() + this.buildURL(rReq, "/")); + rReq.setAttribute("document_base_url", sbUrl.toString() + this.buildURL(rReq, SLASH)); //If a validation error occurred, re-populate data already submitted - if (rReq.getParameter("error:content") != null) + String parameter = rReq.getParameter("error:content"); + if (parameter != null) { - rReq.setAttribute("error:content", rReq.getParameter("error:content")); + rReq.setAttribute("error:content", parameter); } - if (rReq.getParameter("error:description") != null) + parameter = rReq.getParameter("error:description"); + if (parameter != null) { - rReq.setAttribute("error:description", rReq.getParameter("error:description")); + rReq.setAttribute("error:description", parameter); } - if (rReq.getParameter("error:title") != null) + parameter = rReq.getParameter("error:title"); + if (parameter != null) { - rReq.setAttribute("error:title", rReq.getParameter("error:title")); + rReq.setAttribute("error:title", parameter); } - if (rReq.getParameter("error:language") != null) + parameter = rReq.getParameter("error:language"); + if (parameter != null) { - rReq.setAttribute("error:language", rReq.getParameter("error:language")); + rReq.setAttribute("error:language", parameter); } - if (rReq.getParameter("error:filename") != null) + parameter = rReq.getParameter("error:filename"); + if (parameter != null) { - rReq.setAttribute("error:filename", rReq.getParameter("error:filename")); + rReq.setAttribute("error:filename", parameter); } - if (rReq.getParameter("error:message") != null) + parameter = rReq.getParameter("error:message"); + if (parameter != null) { - rReq.setAttribute("error:message", rReq.getParameter("error:message")); + rReq.setAttribute("error:message", parameter); } javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/create.jsp"); @@ -621,8 +625,9 @@ } else if (CMSAdminConstants.OP_EDIT.equals(op)) { - String sPath = rReq.getParameter("path"); String sLanguage = rReq.getParameter("language"); + ParameterSanitizer.sanitizeFromPattern(sLanguage, CHECK_FOR_XSS_PATTERN, "en"); + String sVersion = rReq.getParameter("version"); StringBuffer sbUrl = new StringBuffer(); @@ -651,7 +656,7 @@ rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); - rReq.setAttribute("document_base_url", sbUrl.toString() + this.buildURL(rReq, "/")); + rReq.setAttribute("document_base_url", sbUrl.toString() + this.buildURL(rReq, SLASH)); Command getCommand; @@ -680,17 +685,14 @@ { try { - String sPath = rReq.getParameter("path"); - String sNavPath = rReq.getParameter("navpath"); - List folders = this.getFolderList(sNavPath); - if((folders == null || folders.isEmpty()) && - (sNavPath != null && !sNavPath.equals("/"))) + if ((folders == null || folders.isEmpty()) && + (sNavPath != null && !sNavPath.equals(SLASH))) { sNavPath = NodeUtil.getParentPath(sNavPath); folders = this.getFolderList(sNavPath); } - + rReq.setAttribute("folders", folders); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); @@ -698,15 +700,15 @@ javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/exportarchive.jsp"); prd.include(rReq, rRes); } - catch(Exception e) + catch (Exception e) { throw new PortletException(e); } } else if (CMSAdminConstants.OP_EXPORTARCHIVE_PICKUP.equals(op)) { - String sPath = rReq.getParameter("path"); String sPickupFile = rReq.getParameter("filepath"); + ParameterSanitizer.sanitizeFromPattern(sPickupFile, CHECK_FOR_XSS_PATTERN, SLASH); rRes.setContentType("text/html"); PortletRequestDispatcher prd = null; @@ -725,7 +727,6 @@ } else if (CMSAdminConstants.OP_CONFIRMSECURE.equals(op)) { - String sPath = rReq.getParameter("path"); String sConfirm = rReq.getParameter("confirm"); String returnOp = rReq.getParameter("returnOp"); @@ -786,13 +787,11 @@ else if (CMSAdminConstants.OP_VIEWPENDING.equals(op)) { boolean isWorkflowManagementAccessible = this.isWorkflowManagementAccessible(rReq); - if(!isWorkflowManagementAccessible) + if (!isWorkflowManagementAccessible) { this.showAccessDeniedScreen(rReq, rRes); return; } - - String sPath = rReq.getParameter("path"); if (this.getApprovePublish() != null) { @@ -809,30 +808,29 @@ rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); - + javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/pending_items.jsp"); prd.include(rReq, rRes); } else if (CMSAdminConstants.OP_VIEWPENDINGPREVIEW.equals(op)) { String processId = rReq.getParameter("pid"); - String path = rReq.getParameter("path"); String contentPath = rReq.getParameter("contentPath"); - + boolean isWorkflowManagementAccessible = this.isWorkflowManagementAccessible(rReq); - if(!isWorkflowManagementAccessible) + if (!isWorkflowManagementAccessible) { this.showAccessDeniedScreen(rReq, rRes); return; } - - boolean hasWriteAccess = this.hasWriteAccess(rReq, path); - if(!hasWriteAccess) + + boolean hasWriteAccess = this.hasWriteAccess(rReq, sPath); + if (!hasWriteAccess) { this.showAccessDeniedScreen(rReq, rRes); return; } - + if (this.getApprovePublish() != null) { try @@ -845,12 +843,12 @@ rReq.setAttribute("pendingQueue", null); } } - + Content pendingContent = CMSWorkflowUtil.getPendingContent(Long.parseLong(processId), contentPath); String viewableContent = Util.getViewableContent(rReq, rRes, pendingContent.getContentAsString()); - + rReq.setAttribute("pendingPreviewContent", viewableContent); - + StringBuffer sbUrl = new StringBuffer(); sbUrl.append(rReq.getScheme()); sbUrl.append("://"); @@ -862,12 +860,12 @@ sbUrl.append(rReq.getServerPort()); } rRes.setContentType("text/html"); - rReq.setAttribute("currpath", path); - rReq.setAttribute("document_base_url", sbUrl.toString() + this.buildURL(rReq, "/")); - + rReq.setAttribute("currpath", sPath); + rReq.setAttribute("document_base_url", sbUrl.toString() + this.buildURL(rReq, SLASH)); + javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/pending_items.jsp"); prd.include(rReq, rRes); - } + } } public void processAction(final JBossActionRequest aReq, final JBossActionResponse aRes) throws PortletException @@ -917,7 +915,7 @@ String sFolderDescription = aReq.getParameter("newcollectiondescription"); if (!"".equals(sCreatePath) && !"".equals(sFolderName)) { - String sNewPath = FileUtil.cleanDoubleSlashes(sCreatePath + "/" + sFolderName); + String sNewPath = FileUtil.cleanDoubleSlashes(sCreatePath + SLASH + sFolderName); Folder folder = new FolderImpl(); folder.setCreationDate(new Date()); @@ -932,9 +930,9 @@ Command saveCMD = CMSService.getCommandFactory().createFolderSaveCommand(folder); CMSService.execute(saveCMD); } - catch(CMSException cme) + catch (CMSException cme) { - if(cme.hasPathFormatFailure()) + if (cme.hasPathFormatFailure()) { //Validation Error occurred //FileName should not be empty @@ -944,7 +942,7 @@ //used to remember the data already submitted by the user aRes.setRenderParameter("error:message", CMSAdminConstants.CMS_FOLDERNAME_INVALID); aRes.setRenderParameter("error:newcollectionname", aReq.getParameter("newcollectionname")); - aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription")); + aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription")); return; } @@ -956,7 +954,7 @@ aRes.setRenderParameter("op", CMSAdminConstants.OP_MAIN); aRes.setRenderParameter("path", sNewPath); - } + } else { //Validation Error @@ -966,7 +964,7 @@ //used to remember the data already submitted by the user aRes.setRenderParameter("error:message", CMSAdminConstants.CMS_FOLDERNAME_INVALID); aRes.setRenderParameter("error:newcollectionname", aReq.getParameter("newcollectionname")); - aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription")); + aRes.setRenderParameter("error:newcollectiondescription", aReq.getParameter("newcollectiondescription")); } } else if (CMSAdminConstants.OP_UPLOADCONTENT.equals(op)) @@ -989,6 +987,8 @@ if (!item.isFormField()) { String sFilename = item.getName(); + sFilename = ParameterSanitizer.sanitizeFromPattern(sFilename, CHECK_FOR_XSS_PATTERN, ""); + if (!"".equals(sFilename)) { int backslashIndex = sFilename.lastIndexOf("\\"); @@ -998,7 +998,7 @@ } else // unix { - backslashIndex = sFilename.lastIndexOf("/"); + backslashIndex = sFilename.lastIndexOf(SLASH); sFilename = sFilename.substring(backslashIndex + 1); } @@ -1016,12 +1016,12 @@ content.setMimeType("application/octet-stream"); } - String sBasePath = FileUtil.cleanDoubleSlashes(sPath + "/" + sFilename); + String sBasePath = FileUtil.cleanDoubleSlashes(sPath + SLASH + sFilename); file.setBasePath(sBasePath); content.setTitle(sTitle); content.setDescription(sDescription); - content.setBasePath(sBasePath + "/" + new Locale(sLanguage)); + content.setBasePath(sBasePath + SLASH + new Locale(sLanguage)); content.setBytes(item.get()); file.setContent(new Locale(sLanguage), content); @@ -1050,21 +1050,23 @@ else { String fieldName = item.getFieldName(); + String itemValue = item.getString(aReq.getCharacterEncoding()); + itemValue = ParameterSanitizer.sanitizeFromPattern(itemValue, CHECK_FOR_XSS_PATTERN, ""); if ("destination".equals(fieldName)) { - sPath = item.getString(aReq.getCharacterEncoding()); + sPath = itemValue; } else if ("description".equals(fieldName)) { - sDescription = item.getString(aReq.getCharacterEncoding()); + sDescription = itemValue; } else if ("title".equals(fieldName)) { - sTitle = item.getString(aReq.getCharacterEncoding()); + sTitle = itemValue; } else if ("language".equals(fieldName)) { - sLanguage = item.getString(aReq.getCharacterEncoding()); + sLanguage = itemValue; } } } @@ -1100,26 +1102,26 @@ if (!item.isFormField()) { byte[] archiveBytes = item.get(); - + Command storearchiveCMD = CMSService.getCommandFactory().createAsyncStoreArchiveCommand(sPath, archiveBytes, sLanguage); - + List messages = new ArrayList(); - + try { - CMSService.execute(storearchiveCMD); + CMSService.execute(storearchiveCMD); messages.add(this.resources.getObject("CMS_MSG_UPLOADARCHIVE_ASYNC")); } - catch(CMSException cme) + catch (CMSException cme) { String messageKey = cme.getMessageKey(); - if(messageKey != null && messageKey.trim().length() > 0) + if (messageKey != null && messageKey.trim().length() > 0) { messages.add(this.resources.getObject(messageKey)); } } - - + + aReq.getPortletSession().setAttribute("messages", messages); aRes.setRenderParameter("path", FileUtil.cleanDoubleSlashes(sPath)); @@ -1134,7 +1136,7 @@ else if ("language".equals(fieldName)) { sLanguage = item.getString(aReq.getCharacterEncoding()); - } + } } } } @@ -1151,27 +1153,27 @@ String sType = aReq.getParameter("type"); if (!"".equals(sTo) && !"".equals(sFrom) && !"".equals(sType)) { - String sNodeName = sFrom.substring(sFrom.lastIndexOf("/") + 1, sFrom.length()); - sTo = FileUtil.cleanDoubleSlashes(sTo + "/" + sNodeName); - + String sNodeName = sFrom.substring(sFrom.lastIndexOf(SLASH) + 1, sFrom.length()); + sTo = FileUtil.cleanDoubleSlashes(sTo + SLASH + sNodeName); + // check if destination already exists Command existsCMD = CMSService.getCommandFactory().createItemExistsCommand(sTo); Boolean bExists = (Boolean)CMSService.execute(existsCMD); - if (bExists.booleanValue()) - { - List messages = new ArrayList(); - messages.add(this.resources.getObject("CMS_MSG_DESTINATION_ALREADY_EXISTS")); - aReq.getPortletSession().setAttribute("messages", messages); - try - { - String sParentPath = NodeUtil.getParentPath(sFrom); - aRes.setRenderParameter("path", sParentPath); - } - catch (Exception e) - { + if (bExists.booleanValue()) + { + List messages = new ArrayList(); + messages.add(this.resources.getObject("CMS_MSG_DESTINATION_ALREADY_EXISTS")); + aReq.getPortletSession().setAttribute("messages", messages); + try + { + String sParentPath = NodeUtil.getParentPath(sFrom); + aRes.setRenderParameter("path", sParentPath); + } + catch (Exception e) + { - } - return; + } + return; } Command copyCommand = CMSService.getCommandFactory().createCopyCommand(sFrom, sTo); @@ -1193,7 +1195,7 @@ String sTo = aReq.getParameter("destination"); String sFrom = aReq.getParameter("source"); String sType = aReq.getParameter("type"); - + if (sTo.startsWith(sFrom)) { List messages = new ArrayList(); @@ -1210,33 +1212,33 @@ } return; } - + if (!"".equals(sTo) && !"".equals(sFrom) && !"".equals(sType)) { - String sNodeName = sFrom.substring(sFrom.lastIndexOf("/") + 1, sFrom.length()); - sTo = FileUtil.cleanDoubleSlashes(sTo + "/" + sNodeName); - + String sNodeName = sFrom.substring(sFrom.lastIndexOf(SLASH) + 1, sFrom.length()); + sTo = FileUtil.cleanDoubleSlashes(sTo + SLASH + sNodeName); + // check if destination already exists Command existsCMD = CMSService.getCommandFactory().createItemExistsCommand(sTo); Boolean bExists = (Boolean)CMSService.execute(existsCMD); if (bExists.booleanValue()) - { - List messages = new ArrayList(); - messages.add(this.resources.getObject("CMS_MSG_DESTINATION_ALREADY_EXISTS")); - aReq.getPortletSession().setAttribute("messages", messages); - try - { - String sParentPath = NodeUtil.getParentPath(sFrom); - aRes.setRenderParameter("path", sParentPath); - } - catch (Exception e) - { + { + List messages = new ArrayList(); + messages.add(this.resources.getObject("CMS_MSG_DESTINATION_ALREADY_EXISTS")); + aReq.getPortletSession().setAttribute("messages", messages); + try + { + String sParentPath = NodeUtil.getParentPath(sFrom); + aRes.setRenderParameter("path", sParentPath); + } + catch (Exception e) + { - } - return; + } + return; } - + Command moveCommand = CMSService.getCommandFactory().createMoveCommand(sFrom, sTo); CMSService.execute(moveCommand); if ("fo".equalsIgnoreCase(sType)) @@ -1246,7 +1248,7 @@ else if ("fi".equalsIgnoreCase(sType)) { aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE); - } + } aRes.setRenderParameter("path", sTo); } @@ -1298,7 +1300,7 @@ } else // unix { - backslashIndex = sFilename.lastIndexOf("/"); + backslashIndex = sFilename.lastIndexOf(SLASH); sFilename = sFilename.substring(backslashIndex + 1); } @@ -1319,7 +1321,7 @@ } content.setTitle(sTitle); content.setDescription(sDescription); - content.setBasePath(sBasePath + "/" + sLanguage); + content.setBasePath(sBasePath + SLASH + sLanguage); content.setBytes(item.get()); file.setContent(new Locale(sLanguage), content); @@ -1396,7 +1398,7 @@ if (!"".equals(sFileName) && !"".equals(sDirectory)) { String sContent = aReq.getParameter("elm1"); - String sNewFilePath = FileUtil.cleanDoubleSlashes(sDirectory + "/" + sFileName); + String sNewFilePath = FileUtil.cleanDoubleSlashes(sDirectory + SLASH + sFileName); File file = new FileImpl(); Content content = new ContentImpl(); @@ -1417,7 +1419,7 @@ content.setTitle(sTitle); content.setDescription(sDescription); - content.setBasePath(sBasePath + "/" + new Locale(sLanguage)); + content.setBasePath(sBasePath + SLASH + new Locale(sLanguage)); content.setBytes(sContent.getBytes()); file.setContent(new Locale(sLanguage), content); @@ -1429,9 +1431,9 @@ { bExists = (Boolean)CMSService.execute(existsCMD); } - catch(CMSException cme) + catch (CMSException cme) { - if(cme.hasPathFormatFailure()) + if (cme.hasPathFormatFailure()) { //Validation Error occurred //FileName should not be empty @@ -1455,7 +1457,7 @@ throw cme; } } - + if (bExists.booleanValue()) // if file exists, update contentNode { Command cmdUpdate = CMSService.getCommandFactory().createUpdateFileCommand(file, content, true); @@ -1505,7 +1507,7 @@ content.setTitle(sTitle); content.setDescription(sDescription); - content.setBasePath(sFilePath + "/" + new Locale(sLanguage).getLanguage()); + content.setBasePath(sFilePath + SLASH + new Locale(sLanguage).getLanguage()); content.setBytes(sContent.getBytes()); file.setContent(new Locale(sLanguage), content); @@ -1585,11 +1587,11 @@ else if (CMSAdminConstants.OP_APPROVE.equals(op)) { boolean hasWriteAccess = this.hasWriteAccess(aReq, aReq.getParameter("path")); - if(!hasWriteAccess) + if (!hasWriteAccess) { throw new CMSException("Access to this resource is denied"); } - + String sManager = aReq.getUser().getUserName(); String sPID = aReq.getParameter("pid"); try @@ -1619,11 +1621,11 @@ else if (CMSAdminConstants.OP_DENY.equals(op)) { boolean hasWriteAccess = this.hasWriteAccess(aReq, aReq.getParameter("path")); - if(!hasWriteAccess) + if (!hasWriteAccess) { throw new CMSException("Access to this resource is denied"); } - + String sManager = aReq.getUser().getUserName(); String sPID = aReq.getParameter("pid"); try @@ -1647,45 +1649,45 @@ } return; } - + String filePath = aReq.getParameter("path"); String parentPath = null; try { parentPath = NodeUtil.getParentPath(filePath); } - catch(Exception e) + catch (Exception e) { - parentPath = "/"; + parentPath = SLASH; } - + //Check if this file still exists Command existsCmd = this.CMSService.getCommandFactory().createItemExistsCommand(filePath); - boolean exists = ((Boolean)this.CMSService.execute(existsCmd)).booleanValue(); - if(exists) + boolean exists = ((Boolean)this.CMSService.execute(existsCmd)).booleanValue(); + if (exists) { aRes.setRenderParameter("path", filePath); aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE); } else - { + { aRes.setRenderParameter("path", parentPath); aRes.setRenderParameter("op", CMSAdminConstants.OP_MAIN); } } - else if(CMSAdminConstants.OP_MODIFYANDAPPROVE.equals(op)) + else if (CMSAdminConstants.OP_MODIFYANDAPPROVE.equals(op)) { boolean hasWriteAccess = this.hasWriteAccess(aReq, aReq.getParameter("path")); - if(!hasWriteAccess) + if (!hasWriteAccess) { throw new CMSException("Access to this resource is denied"); } - + String modifiedContent = aReq.getParameter("elm1"); String processId = aReq.getParameter("pid"); String path = aReq.getParameter("path"); String sManager = aReq.getUser().getUserName(); - + try { //Apply this modifiedContent instead of the one published by the original author @@ -1707,7 +1709,7 @@ aRes.setRenderParameter("op", from); } return; - } + } aRes.setRenderParameter("path", path); aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE); } @@ -1717,13 +1719,13 @@ String language = aReq.getParameter("language"); String version = aReq.getParameter("version"); - //Perform the change in live version here + //Perform the change in live version here Command makeLiveCommand = CMSService.getCommandFactory().createMakeLiveVersionCommand(path, language, version); CMSService.execute(makeLiveCommand); aRes.setRenderParameter("path", path); aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE); - } + } } else { @@ -1743,7 +1745,7 @@ { if (sNavPath == null) { - sNavPath = "/"; + sNavPath = SLASH; } Command listCMD = CMSService.getCommandFactory().createFolderGetListCommand(sNavPath); Folder mainFolder = (Folder)CMSService.execute(listCMD); @@ -1787,13 +1789,13 @@ (manageUsers == null || manageUsers.length == 0) ) { - //remove all direct permissions on this node + //remove all direct permissions on this node String uri = this.authorizationManager.getProvider().getCriteriaURI("path", path); this.authorizationManager.getProvider().removeSecurityBindings(uri); return; } - //cleanup the old permissions on this node, before new ones are created + //cleanup the old permissions on this node, before new ones are created String uri = this.authorizationManager.getProvider().getCriteriaURI("path", path); this.authorizationManager.getProvider().removeSecurityBindings(uri); @@ -1906,11 +1908,11 @@ if (portletRequest.getUserPrincipal() != null) { - if(portletRequest.getUserPrincipal().getName().equals(this.authorizationManager.getProvider().getRoot().getUserName())) + if (portletRequest.getUserPrincipal().getName().equals(this.authorizationManager.getProvider().getRoot().getUserName())) { return true; } - + //Not the Root User. so now make sure the Portlet is accessible to the User that is logged in User user = this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName()); String uri = this.authorizationManager.getProvider().getUserURI(user.getUserName()); @@ -1958,7 +1960,6 @@ } /** - * * @param portletRequest * @return */ @@ -2065,26 +2066,26 @@ this.setApprovePublish(null); } } - + private void filterResourceBySecurity(List resources, PortalCMSSecurityContext securityContext) { - + } - + private boolean hasWriteAccess(PortletRequest request, String path) { boolean hasAccess = false; - + User user = null; - if(request instanceof JBossRenderRequest) + if (request instanceof JBossRenderRequest) { user = ((JBossRenderRequest)request).getUser(); } - else if(request instanceof JBossActionRequest) + else if (request instanceof JBossActionRequest) { user = ((JBossActionRequest)request).getUser(); } - + try { user = userModule.findUserById(user.getId()); @@ -2097,11 +2098,11 @@ PortalCMSSecurityContext securityContext = new PortalCMSSecurityContext(user); File file = new FileImpl(); file.setBasePath(path); - securityContext.setAttribute("command", CMSService.getCommandFactory().createFileUpdateCommand(file)); + securityContext.setAttribute("command", CMSService.getCommandFactory().createFileUpdateCommand(file)); PortalPermission cmsPermission = new CMSPermission(securityContext); hasAccess = this.authorizationManager.checkPermission(cmsPermission); - + return hasAccess; } } \ No newline at end of file

15 years, 3 months

1
0
0 / 0

JBoss Portal SVN: r12744 - branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin.

by portal-commits＠lists.jboss.org

Author: thomas.heute(a)jboss.com Date: 2009-01-31 06:03:32 -0500 (Sat, 31 Jan 2009) New Revision: 12744 Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java Log: regex was wrong Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java =================================================================== --- branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 08:57:18 UTC (rev 12743) +++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 11:03:32 UTC (rev 12744) @@ -108,7 +108,7 @@ private ApprovePublish approvePublish; private AuthorizationManager authorizationManager; private ResourceBundle resources = null; - private static final Pattern CHECK_FOR_XSS_PATTERN = Pattern.compile("^[<>\$\$=]"); + private static final Pattern CHECK_FOR_XSS_PATTERN = Pattern.compile("[^<>\$\$=]*"); private static final String SLASH = "/";

15 years, 3 months

1
0
0 / 0

JBoss Portal SVN: r12743 - branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin.

by portal-commits＠lists.jboss.org

Author: thomas.heute(a)jboss.com Date: 2009-01-31 03:57:18 -0500 (Sat, 31 Jan 2009) New Revision: 12743 Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java Log: minor Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java =================================================================== --- branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30 23:17:10 UTC (rev 12742) +++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31 08:57:18 UTC (rev 12743) @@ -62,6 +62,7 @@ import org.jboss.portal.search.impl.jcr.JCRQuery; import org.jboss.portal.search.impl.jcr.JCRQueryConverter; import org.jboss.portal.security.PortalPermission; +import org.jboss.portal.server.ParameterSanitizer; import org.jboss.portal.server.request.URLContext; import org.jboss.portal.server.request.URLFormat; import org.jboss.portal.workflow.WorkflowException; @@ -237,13 +238,13 @@ String sPath = rReq.getParameter("path"); if (sPath != null) { - sPath = ParameterValidation.sanitizeFromPattern(sPath, CHECK_FOR_XSS_PATTERN, SLASH); + sPath = ParameterSanitizer.sanitizeFromPattern(sPath, CHECK_FOR_XSS_PATTERN, SLASH); } String sNavPath = rReq.getParameter("navpath"); if (sNavPath != null) { - sNavPath = ParameterValidation.sanitizeFromPattern(sNavPath, CHECK_FOR_XSS_PATTERN, SLASH); + sNavPath = ParameterSanitizer.sanitizeFromPattern(sNavPath, CHECK_FOR_XSS_PATTERN, SLASH); } if (op == null) @@ -552,7 +553,7 @@ rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); String language = rReq.getParameter("language"); - ParameterValidation.sanitizeFromPattern(language, CHECK_FOR_XSS_PATTERN, "en"); + ParameterSanitizer.sanitizeFromPattern(language, CHECK_FOR_XSS_PATTERN, "en"); rReq.setAttribute("language", language); javax.portlet.PortletRequestDispatcher prd = getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/editbinary.jsp"); prd.include(rReq, rRes); @@ -625,7 +626,7 @@ else if (CMSAdminConstants.OP_EDIT.equals(op)) { String sLanguage = rReq.getParameter("language"); - ParameterValidation.sanitizeFromPattern(sLanguage, CHECK_FOR_XSS_PATTERN, "en"); + ParameterSanitizer.sanitizeFromPattern(sLanguage, CHECK_FOR_XSS_PATTERN, "en"); String sVersion = rReq.getParameter("version"); @@ -707,7 +708,7 @@ else if (CMSAdminConstants.OP_EXPORTARCHIVE_PICKUP.equals(op)) { String sPickupFile = rReq.getParameter("filepath"); - ParameterValidation.sanitizeFromPattern(sPickupFile, CHECK_FOR_XSS_PATTERN, SLASH); + ParameterSanitizer.sanitizeFromPattern(sPickupFile, CHECK_FOR_XSS_PATTERN, SLASH); rRes.setContentType("text/html"); PortletRequestDispatcher prd = null; @@ -986,7 +987,7 @@ if (!item.isFormField()) { String sFilename = item.getName(); - sFilename = ParameterValidation.sanitizeFromPattern(sFilename, CHECK_FOR_XSS_PATTERN, ""); + sFilename = ParameterSanitizer.sanitizeFromPattern(sFilename, CHECK_FOR_XSS_PATTERN, ""); if (!"".equals(sFilename)) { @@ -1050,7 +1051,7 @@ { String fieldName = item.getFieldName(); String itemValue = item.getString(aReq.getCharacterEncoding()); - itemValue = ParameterValidation.sanitizeFromPattern(itemValue, CHECK_FOR_XSS_PATTERN, ""); + itemValue = ParameterSanitizer.sanitizeFromPattern(itemValue, CHECK_FOR_XSS_PATTERN, ""); if ("destination".equals(fieldName)) { sPath = itemValue;

15 years, 3 months

1
0
0 / 0

JBoss Portal SVN: r12742 - branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin.

by portal-commits＠lists.jboss.org

Author: chris.laprun(a)jboss.com Date: 2009-01-30 18:17:10 -0500 (Fri, 30 Jan 2009) New Revision: 12742 Modified: branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java Log: - Added more sanitization of parameter values. However, I am not too familiar with CMS so I am not sure what the proper behavior should be there, or if the default values that I give won't cause side-effects of their own... :( Modified: branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java =================================================================== --- branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30 23:16:48 UTC (rev 12741) +++ branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30 23:17:10 UTC (rev 12742) @@ -986,6 +986,8 @@ if (!item.isFormField()) { String sFilename = item.getName(); + sFilename = ParameterValidation.sanitizeFromPattern(sFilename, CHECK_FOR_XSS_PATTERN, ""); + if (!"".equals(sFilename)) { int backslashIndex = sFilename.lastIndexOf("\\"); @@ -1047,21 +1049,23 @@ else { String fieldName = item.getFieldName(); + String itemValue = item.getString(aReq.getCharacterEncoding()); + itemValue = ParameterValidation.sanitizeFromPattern(itemValue, CHECK_FOR_XSS_PATTERN, ""); if ("destination".equals(fieldName)) { - sPath = item.getString(aReq.getCharacterEncoding()); + sPath = itemValue; } else if ("description".equals(fieldName)) { - sDescription = item.getString(aReq.getCharacterEncoding()); + sDescription = itemValue; } else if ("title".equals(fieldName)) { - sTitle = item.getString(aReq.getCharacterEncoding()); + sTitle = itemValue; } else if ("language".equals(fieldName)) { - sLanguage = item.getString(aReq.getCharacterEncoding()); + sLanguage = itemValue; } } }

15 years, 3 months

1
0
0 / 0

JBoss Portal SVN: r12741 - branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin.

by portal-commits＠lists.jboss.org

Author: chris.laprun(a)jboss.com Date: 2009-01-30 18:16:48 -0500 (Fri, 30 Jan 2009) New Revision: 12741 Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java Log: - Added more sanitization of parameter values. However, I am not too familiar with CMS so I am not sure what the proper behavior should be there, or if the default values that I give won't cause side-effects of their own... :( Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java =================================================================== --- branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30 22:45:52 UTC (rev 12740) +++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30 23:16:48 UTC (rev 12741) @@ -20,6 +20,7 @@ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * ******************************************************************************/ + package org.jboss.portal.core.cms.ui.admin; import org.apache.commons.fileupload.FileItem; @@ -985,6 +986,8 @@ if (!item.isFormField()) { String sFilename = item.getName(); + sFilename = ParameterValidation.sanitizeFromPattern(sFilename, CHECK_FOR_XSS_PATTERN, ""); + if (!"".equals(sFilename)) { int backslashIndex = sFilename.lastIndexOf("\\"); @@ -1046,21 +1049,23 @@ else { String fieldName = item.getFieldName(); + String itemValue = item.getString(aReq.getCharacterEncoding()); + itemValue = ParameterValidation.sanitizeFromPattern(itemValue, CHECK_FOR_XSS_PATTERN, ""); if ("destination".equals(fieldName)) { - sPath = item.getString(aReq.getCharacterEncoding()); + sPath = itemValue; } else if ("description".equals(fieldName)) { - sDescription = item.getString(aReq.getCharacterEncoding()); + sDescription = itemValue; } else if ("title".equals(fieldName)) { - sTitle = item.getString(aReq.getCharacterEncoding()); + sTitle = itemValue; } else if ("language".equals(fieldName)) { - sLanguage = item.getString(aReq.getCharacterEncoding()); + sLanguage = itemValue; } } } @@ -1713,7 +1718,7 @@ String language = aReq.getParameter("language"); String version = aReq.getParameter("version"); - //Perform the change in live version here + //Perform the change in live version here Command makeLiveCommand = CMSService.getCommandFactory().createMakeLiveVersionCommand(path, language, version); CMSService.execute(makeLiveCommand); @@ -1783,13 +1788,13 @@ (manageUsers == null || manageUsers.length == 0) ) { - //remove all direct permissions on this node + //remove all direct permissions on this node String uri = this.authorizationManager.getProvider().getCriteriaURI("path", path); this.authorizationManager.getProvider().removeSecurityBindings(uri); return; } - //cleanup the old permissions on this node, before new ones are created + //cleanup the old permissions on this node, before new ones are created String uri = this.authorizationManager.getProvider().getCriteriaURI("path", path); this.authorizationManager.getProvider().removeSecurityBindings(uri);

15 years, 3 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

portal-commits January 2009