Author: chris.laprun(a)jboss.com
Date: 2009-05-19 13:54:23 -0400 (Tue, 19 May 2009)
New Revision: 13393
Modified:
branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
branches/JBoss_Portal_Branch_2_7/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/main.jsp
branches/JBoss_Portal_Branch_2_7/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/pending_items.jsp
branches/JBoss_Portal_Branch_2_7/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/viewfile.jsp
Log:
- JBEPP-86: Added lots of checking for XSS injection. Error reporting is weak but
improving would require major work. :(
- Fixed typo in CSS class
Modified:
branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
===================================================================
---
branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-05-19
15:40:11 UTC (rev 13392)
+++
branches/JBoss_Portal_Branch_2_7/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-05-19
17:54:23 UTC (rev 13393)
@@ -107,8 +107,11 @@
private ApprovePublish approvePublish;
private AuthorizationManager authorizationManager;
private ResourceBundle resources = null;
+
private static final Pattern CHECK_FOR_XSS_PATTERN = ParameterValidation.XSS_CHECK;
private static final String SLASH = "/";
+ private static final String INVALID_TITLE = "Invalid title";
+ private static final String INVALID_DESCRIPTION = "Invalid description";
public void init() throws PortletException
@@ -1018,8 +1021,12 @@
String sBasePath = FileUtil.cleanDoubleSlashes(sPath + SLASH +
sFilename);
file.setBasePath(sBasePath);
+ sTitle = ParameterValidation.sanitizeFromPattern(sTitle,
CHECK_FOR_XSS_PATTERN, "");
content.setTitle(sTitle);
+
+ sDescription =
ParameterValidation.sanitizeFromPattern(sDescription, CHECK_FOR_XSS_PATTERN,
"");
content.setDescription(sDescription);
+
content.setBasePath(sBasePath + SLASH + new Locale(sLanguage));
content.setBytes(item.get());
file.setContent(new Locale(sLanguage), content);
@@ -1078,7 +1085,8 @@
}
else if (CMSAdminConstants.OP_DOSEARCH.equals(op))
{
- String search = (String)aReq.getParameter("search");
+ String search = aReq.getParameter("search");
+ search = ParameterValidation.sanitizeFromPattern(search,
CHECK_FOR_XSS_PATTERN, "");
aRes.setRenderParameter("search", search);
aRes.setRenderParameter("op",
CMSAdminConstants.OP_VIEWSEARCHRESULTS);
@@ -1318,6 +1326,10 @@
{
content.setMimeType("");
}
+
+ sTitle = ParameterValidation.sanitizeFromPattern(sTitle,
CHECK_FOR_XSS_PATTERN, "");
+ sDescription = ParameterValidation.sanitizeFromPattern(sDescription,
CHECK_FOR_XSS_PATTERN, "");
+
content.setTitle(sTitle);
content.setDescription(sDescription);
content.setBasePath(sBasePath + SLASH + sLanguage);
@@ -1374,8 +1386,14 @@
String sDescription = aReq.getParameter("description");
String sLanguage = aReq.getParameter("language");
+ sFileName = ParameterValidation.sanitizeFromPattern(sFileName,
CHECK_FOR_XSS_PATTERN, "");
+ sDirectory = ParameterValidation.sanitizeFromPattern(sDirectory,
CHECK_FOR_XSS_PATTERN, SLASH);
+ sTitle = ParameterValidation.sanitizeFromPattern(sTitle,
CHECK_FOR_XSS_PATTERN, INVALID_TITLE);
+ sDescription = ParameterValidation.sanitizeFromPattern(sDescription,
CHECK_FOR_XSS_PATTERN, INVALID_DESCRIPTION);
+ sLanguage = ParameterValidation.sanitizeFromPattern(sLanguage,
CHECK_FOR_XSS_PATTERN, "en");
+
//Perform server side data validation
- if (sFileName == null || sFileName.trim().length() == 0)
+ if (sFileName == null || INVALID_TITLE.equals(sTitle) ||
INVALID_DESCRIPTION.equals(sDescription) || sFileName.trim().length() == 0)
{
//Validation Error occurred
//FileName should not be empty
@@ -1386,8 +1404,8 @@
//used to remember the data already submitted by the user
aRes.setRenderParameter("error:content",
aReq.getParameter("elm1"));
- aRes.setRenderParameter("error:description",
aReq.getParameter("description"));
- aRes.setRenderParameter("error:title",
aReq.getParameter("title"));
+ aRes.setRenderParameter("error:description", sDescription);
+ aRes.setRenderParameter("error:title", sTitle);
aRes.setRenderParameter("error:language",
aReq.getParameter("language"));
return;
@@ -1482,6 +1500,11 @@
String sTitle = aReq.getParameter("title");
String sDescription = aReq.getParameter("description");
String sLanguage = aReq.getParameter("language");
+
+ sTitle = ParameterValidation.sanitizeFromPattern(sTitle,
CHECK_FOR_XSS_PATTERN, "");
+ sDescription = ParameterValidation.sanitizeFromPattern(sDescription,
CHECK_FOR_XSS_PATTERN, "");
+ sLanguage = ParameterValidation.sanitizeFromPattern(sLanguage,
CHECK_FOR_XSS_PATTERN, "en");
+
String sMakeLive = "off";
if (aReq.getParameterValues("makelive") != null)
{
@@ -1541,6 +1564,7 @@
{
String sTarget = aReq.getParameter("destination");
String sLanguage = aReq.getParameter("language");
+ sLanguage = ParameterValidation.sanitizeFromPattern(sLanguage,
CHECK_FOR_XSS_PATTERN, "en");
if (sTarget != null)
{
@@ -1720,6 +1744,7 @@
{
String path = aReq.getParameter("path");
String language = aReq.getParameter("language");
+ language = ParameterValidation.sanitizeFromPattern(language,
CHECK_FOR_XSS_PATTERN, "en");
String version = aReq.getParameter("version");
//Perform the change in live version here
Modified:
branches/JBoss_Portal_Branch_2_7/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/main.jsp
===================================================================
---
branches/JBoss_Portal_Branch_2_7/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/main.jsp 2009-05-19
15:40:11 UTC (rev 13392)
+++
branches/JBoss_Portal_Branch_2_7/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/main.jsp 2009-05-19
17:54:23 UTC (rev 13393)
@@ -75,7 +75,7 @@
if (parser.hasMoreTokens())
{
%>
- <li class="pathSeperator"><img
src="/portal-admin/img/pathSeparator.png" alt=">"></li>
+ <li class="pathSeparator"><img
src="/portal-admin/img/pathSeparator.png" alt=">"></li>
<li class="pathItem"><a href="
<portlet:renderURL>
<portlet:param name="op" value="<%= CMSAdminConstants.OP_MAIN
%>"/>
@@ -89,7 +89,7 @@
else
{
%>
- <li class="pathSeperator"><img
src="/portal-admin/img/pathSeparator.png" alt=">"></li>
+ <li class="pathSeparator"><img
src="/portal-admin/img/pathSeparator.png" alt=">"></li>
<li class="selected"><%= EntityEncoder.FULL.encode(sPathChunk)
%>
</li>
<%
Modified:
branches/JBoss_Portal_Branch_2_7/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/pending_items.jsp
===================================================================
---
branches/JBoss_Portal_Branch_2_7/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/pending_items.jsp 2009-05-19
15:40:11 UTC (rev 13392)
+++
branches/JBoss_Portal_Branch_2_7/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/pending_items.jsp 2009-05-19
17:54:23 UTC (rev 13393)
@@ -43,7 +43,7 @@
if (parser.hasMoreTokens())
{
%>
- <li class="pathSeperator"><img
src="/portal-admin/img/pathSeparator.png" alt=">"></li>
+ <li class="pathSeparator"><img
src="/portal-admin/img/pathSeparator.png" alt=">"></li>
<li class="pathItem"><a href="
<portlet:renderURL>
<portlet:param name="op" value="<%= CMSAdminConstants.OP_MAIN
%>"/>
@@ -57,7 +57,7 @@
else
{
%>
- <li class="pathSeperator"><img
src="/portal-admin/img/pathSeparator.png" alt=">"></li>
+ <li class="pathSeparator"><img
src="/portal-admin/img/pathSeparator.png" alt=">"></li>
<li class="selected"><%= sPathChunk %>
</li>
<%
Modified:
branches/JBoss_Portal_Branch_2_7/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/viewfile.jsp
===================================================================
---
branches/JBoss_Portal_Branch_2_7/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/viewfile.jsp 2009-05-19
15:40:11 UTC (rev 13392)
+++
branches/JBoss_Portal_Branch_2_7/core-cms/src/resources/portal-cms-war/WEB-INF/jsp/cms/admin/viewfile.jsp 2009-05-19
17:54:23 UTC (rev 13393)
@@ -72,7 +72,7 @@
if (parser.hasMoreTokens())
{
%>
- <li class="pathSeperator"><img
src="/portal-admin/img/pathSeparator.png" alt=">"></li>
+ <li class="pathSeparator"><img
src="/portal-admin/img/pathSeparator.png" alt=">"></li>
<li class="pathItem"><a href="
<portlet:renderURL>
<portlet:param name="op" value="<%= CMSAdminConstants.OP_MAIN
%>"/>
@@ -86,7 +86,7 @@
else
{
%>
- <li class="pathSeperator"><img
src="/portal-admin/img/pathSeparator.png" alt=">"></li>
+ <li class="pathSeparator"><img
src="/portal-admin/img/pathSeparator.png" alt=">"></li>
<li class="selected"><%= EntityEncoder.FULL.encode(sPathChunk)
%>
</li>
<%