Author: thomas.heute(a)jboss.com
Date: 2009-01-31 06:07:13 -0500 (Sat, 31 Jan 2009)
New Revision: 12745
Modified:
tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
Log:
Merging from branch.
Should fail on XSS attempts (would require proper error handling)
Requires intensive testing on CMS admin :-/
Modified:
tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java
===================================================================
---
tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31
11:03:32 UTC (rev 12744)
+++
tags/Enterprise_Portal_Platform_4_3_GA/core-cms/src/main/org/jboss/portal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-31
11:07:13 UTC (rev 12745)
@@ -1,6 +1,6 @@
/******************************************************************************
* JBoss, a division of Red Hat *
- * Copyright 2006, Red Hat Middleware, LLC, and individual *
+ * Copyright 2009, Red Hat Middleware, LLC, and individual *
* contributors as indicated by the @authors tag. See the *
* copyright.txt in the distribution for a full listing of *
* individual contributors. *
@@ -20,6 +20,7 @@
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
* 02110-1301 USA, or see the FSF site:
http://www.fsf.org. *
******************************************************************************/
+
package org.jboss.portal.core.cms.ui.admin;
import org.apache.commons.fileupload.FileItem;
@@ -32,6 +33,7 @@
import org.jboss.portal.cms.impl.ContentImpl;
import org.jboss.portal.cms.impl.FileImpl;
import org.jboss.portal.cms.impl.FolderImpl;
+import org.jboss.portal.cms.impl.jcr.JCRCMS;
import org.jboss.portal.cms.model.Content;
import org.jboss.portal.cms.model.File;
import org.jboss.portal.cms.model.Folder;
@@ -44,9 +46,9 @@
import org.jboss.portal.cms.util.NodeUtil;
import org.jboss.portal.cms.workflow.ApprovePublish;
import org.jboss.portal.cms.workflow.CMSWorkflowUtil;
-import org.jboss.portal.cms.impl.jcr.JCRCMS;
+import org.jboss.portal.common.util.ParameterValidation;
+import org.jboss.portal.core.cms.command.StreamContentCommand;
import org.jboss.portal.core.cms.ui.Util;
-import org.jboss.portal.core.cms.command.StreamContentCommand;
import org.jboss.portal.core.controller.ControllerContext;
import org.jboss.portal.identity.AnonymousRole;
import org.jboss.portal.identity.IdentityException;
@@ -60,6 +62,7 @@
import org.jboss.portal.search.impl.jcr.JCRQuery;
import org.jboss.portal.search.impl.jcr.JCRQueryConverter;
import org.jboss.portal.security.PortalPermission;
+import org.jboss.portal.server.ParameterSanitizer;
import org.jboss.portal.server.request.URLContext;
import org.jboss.portal.server.request.URLFormat;
import org.jboss.portal.workflow.WorkflowException;
@@ -77,7 +80,8 @@
import javax.portlet.PortletSession;
import javax.portlet.UnavailableException;
import java.io.IOException;
-import java.io.InputStream;
+import java.text.Format;
+import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
@@ -85,11 +89,10 @@
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
+import java.util.ResourceBundle;
import java.util.Set;
import java.util.Vector;
-import java.util.ResourceBundle;
-import java.text.SimpleDateFormat;
-import java.text.Format;
+import java.util.regex.Pattern;
/**
* @author <a href="mailto:roy@jboss.org">Roy Russo</a>
@@ -105,6 +108,8 @@
private ApprovePublish approvePublish;
private AuthorizationManager authorizationManager;
private ResourceBundle resources = null;
+ private static final Pattern CHECK_FOR_XSS_PATTERN =
Pattern.compile("[^<>\\(\\)=]*");
+ private static final String SLASH = "/";
public void init() throws PortletException
@@ -136,22 +141,22 @@
throw new PortletException("Authorization Service not found");
}
- this.initializeApprovePublishWorkflow();
+ this.initializeApprovePublishWorkflow();
}
-
+
/**
- *
+ *
*/
public void init(PortletConfig config) throws PortletException
{
super.init(config);
-
+
//Get the Resource Bundle for this Portlet
this.resources = config.getResourceBundle(Locale.getDefault());
}
/**
- *
+ *
*/
protected void doView(final JBossRenderRequest rReq, final JBossRenderResponse rRes)
throws PortletException, IOException, UnavailableException
@@ -161,8 +166,8 @@
String datePattern = bundle.getString(CMSAdminConstants.CMS_DATE_PATTERN);
Format dateFormat = new SimpleDateFormat(datePattern, rReq.getLocale());
rReq.setAttribute(CMSAdminConstants.DATE_FORMAT, dateFormat);
-
-
+
+
//check and make sure the CMSAdminPortlet is accessible to the current user
if (!this.isPortletAccessible(rReq))
{
@@ -202,38 +207,46 @@
{
throw new PortletException(e);
}
- }
+ }
}
-
- /**
- *
- * @param renderResponse
- * @throws IOException
- */
+
+ /** @throws IOException */
private void showAccessDeniedScreen(JBossRenderRequest rReq, JBossRenderResponse rRes)
throws IOException, PortletException
{
- try
- {
- String sPath = rReq.getParameter("path");
- String sOp = rReq.getParameter("returnOp");
-
-
- rRes.setContentType("text/html");
- rReq.setAttribute("path", sPath);
- rReq.setAttribute("returnOp", sOp);
- javax.portlet.PortletRequestDispatcher prd =
getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH +
"/accessdenied.jsp");
- prd.include(rReq, rRes);
- }
- catch(Exception e)
- {
- throw new PortletException(e);
- }
+ try
+ {
+ String sPath = rReq.getParameter("path");
+ String sOp = rReq.getParameter("returnOp");
+
+
+ rRes.setContentType("text/html");
+ rReq.setAttribute("path", sPath);
+ rReq.setAttribute("returnOp", sOp);
+ javax.portlet.PortletRequestDispatcher prd =
getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH +
"/accessdenied.jsp");
+ prd.include(rReq, rRes);
+ }
+ catch (Exception e)
+ {
+ throw new PortletException(e);
+ }
}
private void internalDoView(JBossRenderRequest rReq, JBossRenderResponse rRes)
throws CMSException, PortletException, IOException
{
String op = rReq.getParameter("op");
+ String sPath = rReq.getParameter("path");
+ if (sPath != null)
+ {
+ sPath = ParameterSanitizer.sanitizeFromPattern(sPath, CHECK_FOR_XSS_PATTERN,
SLASH);
+ }
+
+ String sNavPath = rReq.getParameter("navpath");
+ if (sNavPath != null)
+ {
+ sNavPath = ParameterSanitizer.sanitizeFromPattern(sNavPath,
CHECK_FOR_XSS_PATTERN, SLASH);
+ }
+
if (op == null)
{
op = CMSAdminConstants.OP_MAIN;
@@ -241,21 +254,19 @@
if (CMSAdminConstants.OP_MAIN.equals(op)) // list page.
{
- String sPath = rReq.getParameter("path");
if (sPath == null)
{
- sPath = "/";
+ sPath = SLASH;
}
-
-
+
JCRCMS.enableUISecurityFilter();
Command listCMD =
CMSService.getCommandFactory().createFolderGetListCommand(sPath);
Folder mainFolder = (Folder)CMSService.execute(listCMD);
-
+
List folders = new ArrayList();
List files = new ArrayList();
-
- if(mainFolder != null)
+
+ if (mainFolder != null)
{
folders = mainFolder.getFolders();
files = mainFolder.getFiles();
@@ -263,15 +274,15 @@
else
{
Object messages =
rReq.getPortletSession().getAttribute("messages");
- if(messages == null)
+ if (messages == null)
{
messages = new ArrayList();
rReq.getPortletSession().setAttribute("messages", messages);
}
-
+
((List)messages).add(this.resources.getObject("CMS_MISSING_RESOURCE"));
}
-
+
JCRCMS.disableUISecurityFilter();
rRes.setContentType("text/html");
@@ -290,13 +301,13 @@
{
rReq.setAttribute("manageWorkflowAccessible", new Boolean(false));
}
-
+
//Messages
- if(rReq.getPortletSession().getAttribute("messages") != null)
+ if (rReq.getPortletSession().getAttribute("messages") != null)
{
Object messages =
rReq.getPortletSession().getAttribute("messages");
rReq.getPortletSession().removeAttribute("messages");
-
+
rReq.setAttribute("messages", messages);
}
@@ -307,42 +318,42 @@
{
try
{
- String sNavPath = rReq.getParameter("navpath");
-
List folders = this.getFolderList(sNavPath);
- if((folders == null || folders.isEmpty()) &&
- (sNavPath != null && !sNavPath.equals("/")))
+ if ((folders == null || folders.isEmpty()) &&
+ (sNavPath != null && !sNavPath.equals(SLASH)))
{
sNavPath = NodeUtil.getParentPath(sNavPath);
folders = this.getFolderList(sNavPath);
}
-
+
rReq.setAttribute("folders", folders);
rRes.setContentType("text/html");
rReq.setAttribute("navpath", sNavPath);
-
- String sPath = rReq.getParameter("path");
+
rRes.setContentType("text/html");
rReq.setAttribute("createpath", sPath);
-
- if (rReq.getParameter("error:message") != null)
+
+ String parameter = rReq.getParameter("error:message");
+ if (parameter != null)
{
- rReq.setAttribute("error:message",
rReq.getParameter("error:message"));
+ rReq.setAttribute("error:message", parameter);
}
- if (rReq.getParameter("error:newcollectionname") != null)
+ parameter = rReq.getParameter("error:newcollectionname");
+ if (parameter != null)
{
- rReq.setAttribute("error:newcollectionname",
rReq.getParameter("error:newcollectionname"));
+ rReq.setAttribute("error:newcollectionname", parameter);
}
- if (rReq.getParameter("error:newcollectiondescription") != null)
+ parameter = rReq.getParameter("error:newcollectiondescription");
+ if (parameter != null)
{
- rReq.setAttribute("error:newcollectiondescription",
rReq.getParameter("error:newcollectiondescription"));
+ rReq.setAttribute("error:newcollectiondescription", parameter);
}
-
-
+
+
javax.portlet.PortletRequestDispatcher prd =
getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH +
"/confirmcreatecollection.jsp");
prd.include(rReq, rRes);
}
- catch(Exception e)
+ catch (Exception e)
{
throw new PortletException(e);
}
@@ -351,17 +362,15 @@
{
try
{
- String sPath = rReq.getParameter("path");
- String sNavPath = rReq.getParameter("navpath");
-
+
List folders = this.getFolderList(sNavPath);
- if((folders == null || folders.isEmpty()) &&
- (sNavPath != null && !sNavPath.equals("/")))
+ if ((folders == null || folders.isEmpty()) &&
+ (sNavPath != null && !sNavPath.equals(SLASH)))
{
sNavPath = NodeUtil.getParentPath(sNavPath);
folders = this.getFolderList(sNavPath);
}
-
+
rReq.setAttribute("folders", folders);
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
@@ -370,15 +379,13 @@
javax.portlet.PortletRequestDispatcher prd =
getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH +
"/upload.jsp");
prd.include(rReq, rRes);
}
- catch(Exception e)
+ catch (Exception e)
{
throw new PortletException(e);
}
}
else if (CMSAdminConstants.OP_VIEWFILE.equals(op))
{
- String sPath = rReq.getParameter("path");
-
Command fileGetList =
CMSService.getCommandFactory().createFileGetListCommand(sPath);
List contentList = (List)CMSService.execute(fileGetList);
@@ -459,17 +466,15 @@
{
try
{
- String sPath = rReq.getParameter("path");
- String sNavPath = rReq.getParameter("navpath");
-
+
List folders = this.getFolderList(sNavPath);
- if((folders == null || folders.isEmpty()) &&
- (sNavPath != null && !sNavPath.equals("/")))
+ if ((folders == null || folders.isEmpty()) &&
+ (sNavPath != null && !sNavPath.equals(SLASH)))
{
sNavPath = NodeUtil.getParentPath(sNavPath);
folders = this.getFolderList(sNavPath);
}
-
+
rReq.setAttribute("folders", folders);
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
@@ -477,7 +482,7 @@
javax.portlet.PortletRequestDispatcher prd =
getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH +
"/uploadarchive.jsp");
prd.include(rReq, rRes);
}
- catch(Exception e)
+ catch (Exception e)
{
throw new PortletException(e);
}
@@ -486,18 +491,16 @@
{
try
{
- String sPath = rReq.getParameter("path");
- String sNavPath = rReq.getParameter("navpath");
String sType = rReq.getParameter("type");
-
+
List folders = this.getFolderList(sNavPath);
- if((folders == null || folders.isEmpty()) &&
- (sNavPath != null && !sNavPath.equals("/")))
+ if ((folders == null || folders.isEmpty()) &&
+ (sNavPath != null && !sNavPath.equals(SLASH)))
{
sNavPath = NodeUtil.getParentPath(sNavPath);
folders = this.getFolderList(sNavPath);
}
-
+
rReq.setAttribute("folders", folders);
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
@@ -506,7 +509,7 @@
javax.portlet.PortletRequestDispatcher prd =
getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH +
"/confirmcopy.jsp");
prd.include(rReq, rRes);
}
- catch(Exception e)
+ catch (Exception e)
{
throw new PortletException(e);
}
@@ -515,18 +518,16 @@
{
try
{
- String sPath = rReq.getParameter("path");
- String sNavPath = rReq.getParameter("navpath");
String sType = rReq.getParameter("type");
-
+
List folders = this.getFolderList(sNavPath);
- if((folders == null || folders.isEmpty()) &&
- (sNavPath != null && !sNavPath.equals("/")))
+ if ((folders == null || folders.isEmpty()) &&
+ (sNavPath != null && !sNavPath.equals(SLASH)))
{
sNavPath = NodeUtil.getParentPath(sNavPath);
folders = this.getFolderList(sNavPath);
}
-
+
rReq.setAttribute("folders", folders);
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
@@ -535,14 +536,13 @@
javax.portlet.PortletRequestDispatcher prd =
getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH +
"/confirmmove.jsp");
prd.include(rReq, rRes);
}
- catch(Exception e)
+ catch (Exception e)
{
throw new PortletException(e);
}
}
else if (CMSAdminConstants.OP_CONFIRMDELETE.equals(op))
{
- String sPath = rReq.getParameter("path");
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
javax.portlet.PortletRequestDispatcher prd =
getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH +
"/confirmdelete.jsp");
@@ -550,18 +550,16 @@
}
else if (CMSAdminConstants.OP_EDIT_BINARY.equals(op))
{
- String sPath = rReq.getParameter("path");
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
- rReq.setAttribute("language",
rReq.getParameter("language"));
+ String language = rReq.getParameter("language");
+ ParameterSanitizer.sanitizeFromPattern(language, CHECK_FOR_XSS_PATTERN,
"en");
+ rReq.setAttribute("language", language);
javax.portlet.PortletRequestDispatcher prd =
getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH +
"/editbinary.jsp");
prd.include(rReq, rRes);
}
- else
- if (CMSAdminConstants.OP_CREATENEWTEXT.equals(op) ||
CMSAdminConstants.OP_CREATEFILE_VALIDATION_ERROR.equals(op))
+ else if (CMSAdminConstants.OP_CREATENEWTEXT.equals(op) ||
CMSAdminConstants.OP_CREATEFILE_VALIDATION_ERROR.equals(op))
{
- String sPath = rReq.getParameter("path");
-
// get Base for editor
StringBuffer sbUrl = new StringBuffer();
sbUrl.append(rReq.getScheme());
@@ -588,32 +586,38 @@
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
- rReq.setAttribute("document_base_url", sbUrl.toString() +
this.buildURL(rReq, "/"));
+ rReq.setAttribute("document_base_url", sbUrl.toString() +
this.buildURL(rReq, SLASH));
//If a validation error occurred, re-populate data already submitted
- if (rReq.getParameter("error:content") != null)
+ String parameter = rReq.getParameter("error:content");
+ if (parameter != null)
{
- rReq.setAttribute("error:content",
rReq.getParameter("error:content"));
+ rReq.setAttribute("error:content", parameter);
}
- if (rReq.getParameter("error:description") != null)
+ parameter = rReq.getParameter("error:description");
+ if (parameter != null)
{
- rReq.setAttribute("error:description",
rReq.getParameter("error:description"));
+ rReq.setAttribute("error:description", parameter);
}
- if (rReq.getParameter("error:title") != null)
+ parameter = rReq.getParameter("error:title");
+ if (parameter != null)
{
- rReq.setAttribute("error:title",
rReq.getParameter("error:title"));
+ rReq.setAttribute("error:title", parameter);
}
- if (rReq.getParameter("error:language") != null)
+ parameter = rReq.getParameter("error:language");
+ if (parameter != null)
{
- rReq.setAttribute("error:language",
rReq.getParameter("error:language"));
+ rReq.setAttribute("error:language", parameter);
}
- if (rReq.getParameter("error:filename") != null)
+ parameter = rReq.getParameter("error:filename");
+ if (parameter != null)
{
- rReq.setAttribute("error:filename",
rReq.getParameter("error:filename"));
+ rReq.setAttribute("error:filename", parameter);
}
- if (rReq.getParameter("error:message") != null)
+ parameter = rReq.getParameter("error:message");
+ if (parameter != null)
{
- rReq.setAttribute("error:message",
rReq.getParameter("error:message"));
+ rReq.setAttribute("error:message", parameter);
}
javax.portlet.PortletRequestDispatcher prd =
getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH +
"/create.jsp");
@@ -621,8 +625,9 @@
}
else if (CMSAdminConstants.OP_EDIT.equals(op))
{
- String sPath = rReq.getParameter("path");
String sLanguage = rReq.getParameter("language");
+ ParameterSanitizer.sanitizeFromPattern(sLanguage, CHECK_FOR_XSS_PATTERN,
"en");
+
String sVersion = rReq.getParameter("version");
StringBuffer sbUrl = new StringBuffer();
@@ -651,7 +656,7 @@
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
- rReq.setAttribute("document_base_url", sbUrl.toString() +
this.buildURL(rReq, "/"));
+ rReq.setAttribute("document_base_url", sbUrl.toString() +
this.buildURL(rReq, SLASH));
Command getCommand;
@@ -680,17 +685,14 @@
{
try
{
- String sPath = rReq.getParameter("path");
- String sNavPath = rReq.getParameter("navpath");
-
List folders = this.getFolderList(sNavPath);
- if((folders == null || folders.isEmpty()) &&
- (sNavPath != null && !sNavPath.equals("/")))
+ if ((folders == null || folders.isEmpty()) &&
+ (sNavPath != null && !sNavPath.equals(SLASH)))
{
sNavPath = NodeUtil.getParentPath(sNavPath);
folders = this.getFolderList(sNavPath);
}
-
+
rReq.setAttribute("folders", folders);
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
@@ -698,15 +700,15 @@
javax.portlet.PortletRequestDispatcher prd =
getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH +
"/exportarchive.jsp");
prd.include(rReq, rRes);
}
- catch(Exception e)
+ catch (Exception e)
{
throw new PortletException(e);
}
}
else if (CMSAdminConstants.OP_EXPORTARCHIVE_PICKUP.equals(op))
{
- String sPath = rReq.getParameter("path");
String sPickupFile = rReq.getParameter("filepath");
+ ParameterSanitizer.sanitizeFromPattern(sPickupFile, CHECK_FOR_XSS_PATTERN,
SLASH);
rRes.setContentType("text/html");
PortletRequestDispatcher prd = null;
@@ -725,7 +727,6 @@
}
else if (CMSAdminConstants.OP_CONFIRMSECURE.equals(op))
{
- String sPath = rReq.getParameter("path");
String sConfirm = rReq.getParameter("confirm");
String returnOp = rReq.getParameter("returnOp");
@@ -786,13 +787,11 @@
else if (CMSAdminConstants.OP_VIEWPENDING.equals(op))
{
boolean isWorkflowManagementAccessible =
this.isWorkflowManagementAccessible(rReq);
- if(!isWorkflowManagementAccessible)
+ if (!isWorkflowManagementAccessible)
{
this.showAccessDeniedScreen(rReq, rRes);
return;
}
-
- String sPath = rReq.getParameter("path");
if (this.getApprovePublish() != null)
{
@@ -809,30 +808,29 @@
rRes.setContentType("text/html");
rReq.setAttribute("currpath", sPath);
-
+
javax.portlet.PortletRequestDispatcher prd =
getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH +
"/pending_items.jsp");
prd.include(rReq, rRes);
}
else if (CMSAdminConstants.OP_VIEWPENDINGPREVIEW.equals(op))
{
String processId = rReq.getParameter("pid");
- String path = rReq.getParameter("path");
String contentPath = rReq.getParameter("contentPath");
-
+
boolean isWorkflowManagementAccessible =
this.isWorkflowManagementAccessible(rReq);
- if(!isWorkflowManagementAccessible)
+ if (!isWorkflowManagementAccessible)
{
this.showAccessDeniedScreen(rReq, rRes);
return;
}
-
- boolean hasWriteAccess = this.hasWriteAccess(rReq, path);
- if(!hasWriteAccess)
+
+ boolean hasWriteAccess = this.hasWriteAccess(rReq, sPath);
+ if (!hasWriteAccess)
{
this.showAccessDeniedScreen(rReq, rRes);
return;
}
-
+
if (this.getApprovePublish() != null)
{
try
@@ -845,12 +843,12 @@
rReq.setAttribute("pendingQueue", null);
}
}
-
+
Content pendingContent =
CMSWorkflowUtil.getPendingContent(Long.parseLong(processId), contentPath);
String viewableContent = Util.getViewableContent(rReq, rRes,
pendingContent.getContentAsString());
-
+
rReq.setAttribute("pendingPreviewContent", viewableContent);
-
+
StringBuffer sbUrl = new StringBuffer();
sbUrl.append(rReq.getScheme());
sbUrl.append("://");
@@ -862,12 +860,12 @@
sbUrl.append(rReq.getServerPort());
}
rRes.setContentType("text/html");
- rReq.setAttribute("currpath", path);
- rReq.setAttribute("document_base_url", sbUrl.toString() +
this.buildURL(rReq, "/"));
-
+ rReq.setAttribute("currpath", sPath);
+ rReq.setAttribute("document_base_url", sbUrl.toString() +
this.buildURL(rReq, SLASH));
+
javax.portlet.PortletRequestDispatcher prd =
getPortletContext().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH +
"/pending_items.jsp");
prd.include(rReq, rRes);
- }
+ }
}
public void processAction(final JBossActionRequest aReq, final JBossActionResponse
aRes) throws PortletException
@@ -917,7 +915,7 @@
String sFolderDescription =
aReq.getParameter("newcollectiondescription");
if (!"".equals(sCreatePath) &&
!"".equals(sFolderName))
{
- String sNewPath = FileUtil.cleanDoubleSlashes(sCreatePath + "/"
+ sFolderName);
+ String sNewPath = FileUtil.cleanDoubleSlashes(sCreatePath + SLASH +
sFolderName);
Folder folder = new FolderImpl();
folder.setCreationDate(new Date());
@@ -932,9 +930,9 @@
Command saveCMD =
CMSService.getCommandFactory().createFolderSaveCommand(folder);
CMSService.execute(saveCMD);
}
- catch(CMSException cme)
+ catch (CMSException cme)
{
- if(cme.hasPathFormatFailure())
+ if (cme.hasPathFormatFailure())
{
//Validation Error occurred
//FileName should not be empty
@@ -944,7 +942,7 @@
//used to remember the data already submitted by the user
aRes.setRenderParameter("error:message",
CMSAdminConstants.CMS_FOLDERNAME_INVALID);
aRes.setRenderParameter("error:newcollectionname",
aReq.getParameter("newcollectionname"));
- aRes.setRenderParameter("error:newcollectiondescription",
aReq.getParameter("newcollectiondescription"));
+ aRes.setRenderParameter("error:newcollectiondescription",
aReq.getParameter("newcollectiondescription"));
return;
}
@@ -956,7 +954,7 @@
aRes.setRenderParameter("op", CMSAdminConstants.OP_MAIN);
aRes.setRenderParameter("path", sNewPath);
- }
+ }
else
{
//Validation Error
@@ -966,7 +964,7 @@
//used to remember the data already submitted by the user
aRes.setRenderParameter("error:message",
CMSAdminConstants.CMS_FOLDERNAME_INVALID);
aRes.setRenderParameter("error:newcollectionname",
aReq.getParameter("newcollectionname"));
- aRes.setRenderParameter("error:newcollectiondescription",
aReq.getParameter("newcollectiondescription"));
+ aRes.setRenderParameter("error:newcollectiondescription",
aReq.getParameter("newcollectiondescription"));
}
}
else if (CMSAdminConstants.OP_UPLOADCONTENT.equals(op))
@@ -989,6 +987,8 @@
if (!item.isFormField())
{
String sFilename = item.getName();
+ sFilename = ParameterSanitizer.sanitizeFromPattern(sFilename,
CHECK_FOR_XSS_PATTERN, "");
+
if (!"".equals(sFilename))
{
int backslashIndex = sFilename.lastIndexOf("\\");
@@ -998,7 +998,7 @@
}
else // unix
{
- backslashIndex = sFilename.lastIndexOf("/");
+ backslashIndex = sFilename.lastIndexOf(SLASH);
sFilename = sFilename.substring(backslashIndex + 1);
}
@@ -1016,12 +1016,12 @@
content.setMimeType("application/octet-stream");
}
- String sBasePath = FileUtil.cleanDoubleSlashes(sPath +
"/" + sFilename);
+ String sBasePath = FileUtil.cleanDoubleSlashes(sPath + SLASH +
sFilename);
file.setBasePath(sBasePath);
content.setTitle(sTitle);
content.setDescription(sDescription);
- content.setBasePath(sBasePath + "/" + new
Locale(sLanguage));
+ content.setBasePath(sBasePath + SLASH + new Locale(sLanguage));
content.setBytes(item.get());
file.setContent(new Locale(sLanguage), content);
@@ -1050,21 +1050,23 @@
else
{
String fieldName = item.getFieldName();
+ String itemValue = item.getString(aReq.getCharacterEncoding());
+ itemValue = ParameterSanitizer.sanitizeFromPattern(itemValue,
CHECK_FOR_XSS_PATTERN, "");
if ("destination".equals(fieldName))
{
- sPath = item.getString(aReq.getCharacterEncoding());
+ sPath = itemValue;
}
else if ("description".equals(fieldName))
{
- sDescription = item.getString(aReq.getCharacterEncoding());
+ sDescription = itemValue;
}
else if ("title".equals(fieldName))
{
- sTitle = item.getString(aReq.getCharacterEncoding());
+ sTitle = itemValue;
}
else if ("language".equals(fieldName))
{
- sLanguage = item.getString(aReq.getCharacterEncoding());
+ sLanguage = itemValue;
}
}
}
@@ -1100,26 +1102,26 @@
if (!item.isFormField())
{
byte[] archiveBytes = item.get();
-
+
Command storearchiveCMD =
CMSService.getCommandFactory().createAsyncStoreArchiveCommand(sPath, archiveBytes,
sLanguage);
-
+
List messages = new ArrayList();
-
+
try
{
- CMSService.execute(storearchiveCMD);
+ CMSService.execute(storearchiveCMD);
messages.add(this.resources.getObject("CMS_MSG_UPLOADARCHIVE_ASYNC"));
}
- catch(CMSException cme)
+ catch (CMSException cme)
{
String messageKey = cme.getMessageKey();
- if(messageKey != null && messageKey.trim().length() >
0)
+ if (messageKey != null && messageKey.trim().length() >
0)
{
messages.add(this.resources.getObject(messageKey));
}
}
-
-
+
+
aReq.getPortletSession().setAttribute("messages",
messages);
aRes.setRenderParameter("path",
FileUtil.cleanDoubleSlashes(sPath));
@@ -1134,7 +1136,7 @@
else if ("language".equals(fieldName))
{
sLanguage = item.getString(aReq.getCharacterEncoding());
- }
+ }
}
}
}
@@ -1151,27 +1153,27 @@
String sType = aReq.getParameter("type");
if (!"".equals(sTo) && !"".equals(sFrom)
&& !"".equals(sType))
{
- String sNodeName = sFrom.substring(sFrom.lastIndexOf("/") + 1,
sFrom.length());
- sTo = FileUtil.cleanDoubleSlashes(sTo + "/" + sNodeName);
-
+ String sNodeName = sFrom.substring(sFrom.lastIndexOf(SLASH) + 1,
sFrom.length());
+ sTo = FileUtil.cleanDoubleSlashes(sTo + SLASH + sNodeName);
+
// check if destination already exists
Command existsCMD =
CMSService.getCommandFactory().createItemExistsCommand(sTo);
Boolean bExists = (Boolean)CMSService.execute(existsCMD);
- if (bExists.booleanValue())
- {
- List messages = new ArrayList();
-
messages.add(this.resources.getObject("CMS_MSG_DESTINATION_ALREADY_EXISTS"));
- aReq.getPortletSession().setAttribute("messages",
messages);
- try
- {
- String sParentPath = NodeUtil.getParentPath(sFrom);
- aRes.setRenderParameter("path", sParentPath);
- }
- catch (Exception e)
- {
+ if (bExists.booleanValue())
+ {
+ List messages = new ArrayList();
+
messages.add(this.resources.getObject("CMS_MSG_DESTINATION_ALREADY_EXISTS"));
+ aReq.getPortletSession().setAttribute("messages", messages);
+ try
+ {
+ String sParentPath = NodeUtil.getParentPath(sFrom);
+ aRes.setRenderParameter("path", sParentPath);
+ }
+ catch (Exception e)
+ {
- }
- return;
+ }
+ return;
}
Command copyCommand =
CMSService.getCommandFactory().createCopyCommand(sFrom, sTo);
@@ -1193,7 +1195,7 @@
String sTo = aReq.getParameter("destination");
String sFrom = aReq.getParameter("source");
String sType = aReq.getParameter("type");
-
+
if (sTo.startsWith(sFrom))
{
List messages = new ArrayList();
@@ -1210,33 +1212,33 @@
}
return;
}
-
+
if (!"".equals(sTo) && !"".equals(sFrom)
&& !"".equals(sType))
{
- String sNodeName = sFrom.substring(sFrom.lastIndexOf("/") + 1,
sFrom.length());
- sTo = FileUtil.cleanDoubleSlashes(sTo + "/" + sNodeName);
-
+ String sNodeName = sFrom.substring(sFrom.lastIndexOf(SLASH) + 1,
sFrom.length());
+ sTo = FileUtil.cleanDoubleSlashes(sTo + SLASH + sNodeName);
+
// check if destination already exists
Command existsCMD =
CMSService.getCommandFactory().createItemExistsCommand(sTo);
Boolean bExists = (Boolean)CMSService.execute(existsCMD);
if (bExists.booleanValue())
- {
- List messages = new ArrayList();
-
messages.add(this.resources.getObject("CMS_MSG_DESTINATION_ALREADY_EXISTS"));
- aReq.getPortletSession().setAttribute("messages",
messages);
- try
- {
- String sParentPath = NodeUtil.getParentPath(sFrom);
- aRes.setRenderParameter("path", sParentPath);
- }
- catch (Exception e)
- {
+ {
+ List messages = new ArrayList();
+
messages.add(this.resources.getObject("CMS_MSG_DESTINATION_ALREADY_EXISTS"));
+ aReq.getPortletSession().setAttribute("messages", messages);
+ try
+ {
+ String sParentPath = NodeUtil.getParentPath(sFrom);
+ aRes.setRenderParameter("path", sParentPath);
+ }
+ catch (Exception e)
+ {
- }
- return;
+ }
+ return;
}
-
+
Command moveCommand =
CMSService.getCommandFactory().createMoveCommand(sFrom, sTo);
CMSService.execute(moveCommand);
if ("fo".equalsIgnoreCase(sType))
@@ -1246,7 +1248,7 @@
else if ("fi".equalsIgnoreCase(sType))
{
aRes.setRenderParameter("op",
CMSAdminConstants.OP_VIEWFILE);
- }
+ }
aRes.setRenderParameter("path", sTo);
}
@@ -1298,7 +1300,7 @@
}
else // unix
{
- backslashIndex = sFilename.lastIndexOf("/");
+ backslashIndex = sFilename.lastIndexOf(SLASH);
sFilename = sFilename.substring(backslashIndex + 1);
}
@@ -1319,7 +1321,7 @@
}
content.setTitle(sTitle);
content.setDescription(sDescription);
- content.setBasePath(sBasePath + "/" + sLanguage);
+ content.setBasePath(sBasePath + SLASH + sLanguage);
content.setBytes(item.get());
file.setContent(new Locale(sLanguage), content);
@@ -1396,7 +1398,7 @@
if (!"".equals(sFileName) &&
!"".equals(sDirectory))
{
String sContent = aReq.getParameter("elm1");
- String sNewFilePath = FileUtil.cleanDoubleSlashes(sDirectory +
"/" + sFileName);
+ String sNewFilePath = FileUtil.cleanDoubleSlashes(sDirectory + SLASH +
sFileName);
File file = new FileImpl();
Content content = new ContentImpl();
@@ -1417,7 +1419,7 @@
content.setTitle(sTitle);
content.setDescription(sDescription);
- content.setBasePath(sBasePath + "/" + new Locale(sLanguage));
+ content.setBasePath(sBasePath + SLASH + new Locale(sLanguage));
content.setBytes(sContent.getBytes());
file.setContent(new Locale(sLanguage), content);
@@ -1429,9 +1431,9 @@
{
bExists = (Boolean)CMSService.execute(existsCMD);
}
- catch(CMSException cme)
+ catch (CMSException cme)
{
- if(cme.hasPathFormatFailure())
+ if (cme.hasPathFormatFailure())
{
//Validation Error occurred
//FileName should not be empty
@@ -1455,7 +1457,7 @@
throw cme;
}
}
-
+
if (bExists.booleanValue()) // if file exists, update contentNode
{
Command cmdUpdate =
CMSService.getCommandFactory().createUpdateFileCommand(file, content, true);
@@ -1505,7 +1507,7 @@
content.setTitle(sTitle);
content.setDescription(sDescription);
- content.setBasePath(sFilePath + "/" + new
Locale(sLanguage).getLanguage());
+ content.setBasePath(sFilePath + SLASH + new
Locale(sLanguage).getLanguage());
content.setBytes(sContent.getBytes());
file.setContent(new Locale(sLanguage), content);
@@ -1585,11 +1587,11 @@
else if (CMSAdminConstants.OP_APPROVE.equals(op))
{
boolean hasWriteAccess = this.hasWriteAccess(aReq,
aReq.getParameter("path"));
- if(!hasWriteAccess)
+ if (!hasWriteAccess)
{
throw new CMSException("Access to this resource is denied");
}
-
+
String sManager = aReq.getUser().getUserName();
String sPID = aReq.getParameter("pid");
try
@@ -1619,11 +1621,11 @@
else if (CMSAdminConstants.OP_DENY.equals(op))
{
boolean hasWriteAccess = this.hasWriteAccess(aReq,
aReq.getParameter("path"));
- if(!hasWriteAccess)
+ if (!hasWriteAccess)
{
throw new CMSException("Access to this resource is denied");
}
-
+
String sManager = aReq.getUser().getUserName();
String sPID = aReq.getParameter("pid");
try
@@ -1647,45 +1649,45 @@
}
return;
}
-
+
String filePath = aReq.getParameter("path");
String parentPath = null;
try
{
parentPath = NodeUtil.getParentPath(filePath);
}
- catch(Exception e)
+ catch (Exception e)
{
- parentPath = "/";
+ parentPath = SLASH;
}
-
+
//Check if this file still exists
Command existsCmd =
this.CMSService.getCommandFactory().createItemExistsCommand(filePath);
- boolean exists =
((Boolean)this.CMSService.execute(existsCmd)).booleanValue();
- if(exists)
+ boolean exists =
((Boolean)this.CMSService.execute(existsCmd)).booleanValue();
+ if (exists)
{
aRes.setRenderParameter("path", filePath);
aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE);
}
else
- {
+ {
aRes.setRenderParameter("path", parentPath);
aRes.setRenderParameter("op", CMSAdminConstants.OP_MAIN);
}
}
- else if(CMSAdminConstants.OP_MODIFYANDAPPROVE.equals(op))
+ else if (CMSAdminConstants.OP_MODIFYANDAPPROVE.equals(op))
{
boolean hasWriteAccess = this.hasWriteAccess(aReq,
aReq.getParameter("path"));
- if(!hasWriteAccess)
+ if (!hasWriteAccess)
{
throw new CMSException("Access to this resource is denied");
}
-
+
String modifiedContent = aReq.getParameter("elm1");
String processId = aReq.getParameter("pid");
String path = aReq.getParameter("path");
String sManager = aReq.getUser().getUserName();
-
+
try
{
//Apply this modifiedContent instead of the one published by the original
author
@@ -1707,7 +1709,7 @@
aRes.setRenderParameter("op", from);
}
return;
- }
+ }
aRes.setRenderParameter("path", path);
aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE);
}
@@ -1717,13 +1719,13 @@
String language = aReq.getParameter("language");
String version = aReq.getParameter("version");
- //Perform the change in live version here
+ //Perform the change in live version here
Command makeLiveCommand =
CMSService.getCommandFactory().createMakeLiveVersionCommand(path, language, version);
CMSService.execute(makeLiveCommand);
aRes.setRenderParameter("path", path);
aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE);
- }
+ }
}
else
{
@@ -1743,7 +1745,7 @@
{
if (sNavPath == null)
{
- sNavPath = "/";
+ sNavPath = SLASH;
}
Command listCMD =
CMSService.getCommandFactory().createFolderGetListCommand(sNavPath);
Folder mainFolder = (Folder)CMSService.execute(listCMD);
@@ -1787,13 +1789,13 @@
(manageUsers == null || manageUsers.length == 0)
)
{
- //remove all direct permissions on this node
+ //remove all direct permissions on this node
String uri =
this.authorizationManager.getProvider().getCriteriaURI("path", path);
this.authorizationManager.getProvider().removeSecurityBindings(uri);
return;
}
- //cleanup the old permissions on this node, before new ones are created
+ //cleanup the old permissions on this node, before new ones are created
String uri =
this.authorizationManager.getProvider().getCriteriaURI("path", path);
this.authorizationManager.getProvider().removeSecurityBindings(uri);
@@ -1906,11 +1908,11 @@
if (portletRequest.getUserPrincipal() != null)
{
-
if(portletRequest.getUserPrincipal().getName().equals(this.authorizationManager.getProvider().getRoot().getUserName()))
+ if
(portletRequest.getUserPrincipal().getName().equals(this.authorizationManager.getProvider().getRoot().getUserName()))
{
return true;
}
-
+
//Not the Root User. so now make sure the Portlet is accessible to the User
that is logged in
User user =
this.userModule.findUserByUserName(portletRequest.getUserPrincipal().getName());
String uri =
this.authorizationManager.getProvider().getUserURI(user.getUserName());
@@ -1958,7 +1960,6 @@
}
/**
- *
* @param portletRequest
* @return
*/
@@ -2065,26 +2066,26 @@
this.setApprovePublish(null);
}
}
-
+
private void filterResourceBySecurity(List resources, PortalCMSSecurityContext
securityContext)
{
-
+
}
-
+
private boolean hasWriteAccess(PortletRequest request, String path)
{
boolean hasAccess = false;
-
+
User user = null;
- if(request instanceof JBossRenderRequest)
+ if (request instanceof JBossRenderRequest)
{
user = ((JBossRenderRequest)request).getUser();
}
- else if(request instanceof JBossActionRequest)
+ else if (request instanceof JBossActionRequest)
{
user = ((JBossActionRequest)request).getUser();
}
-
+
try
{
user = userModule.findUserById(user.getId());
@@ -2097,11 +2098,11 @@
PortalCMSSecurityContext securityContext = new PortalCMSSecurityContext(user);
File file = new FileImpl();
file.setBasePath(path);
- securityContext.setAttribute("command",
CMSService.getCommandFactory().createFileUpdateCommand(file));
+ securityContext.setAttribute("command",
CMSService.getCommandFactory().createFileUpdateCommand(file));
PortalPermission cmsPermission = new CMSPermission(securityContext);
hasAccess = this.authorizationManager.checkPermission(cmsPermission);
-
+
return hasAccess;
}
}
\ No newline at end of file