Author: thomas.heute(a)jboss.com Date: 2009-04-06 07:19:36 -0400 (Mon, 06 Apr 2009) New Revision: 13161 Modified: branches/Enterprise_Portal_Platform_4_3/core-wsrp/build.xml branches/Enterprise_Portal_Platform_4_3/wsrp/src/main/org/jboss/portal/test/wsrp/other/WSRPPortletURLTestCase.java branches/Enterprise_Portal_Platform_4_3/wsrp/src/main/org/jboss/portal/test/wsrp/v1/producer/MarkupTestCase.java branches/Enterprise_Portal_Platform_4_3/wsrp/src/main/org/jboss/portal/wsrp/WSRPPortletURL.java Log: JBEPP-57: Ampersand sign (&) may be double encoded when going through WSRP Modified: branches/Enterprise_Portal_Platform_4_3/core-wsrp/build.xml =================================================================== --- branches/Enterprise_Portal_Platform_4_3/core-wsrp/build.xml 2009-04-06 10:58:26 UTC (rev 13160) +++ branches/Enterprise_Portal_Platform_4_3/core-wsrp/build.xml 2009-04-06 11:19:36 UTC (rev 13161) @@ -1,24 +1,24 @@ <?xml version="1.0" encoding="UTF-8"?> <!--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ JBoss, a division of Red Hat ~ - ~ Copyright 2006, Red Hat Middleware, LLC, and individual ~ - ~ contributors as indicated by the @authors tag. See the ~ - ~ copyright.txt in the distribution for a full listing of ~ - ~ individual contributors. ~ - ~ ~ - ~ This is free software; you can redistribute it and/or modify it ~ - ~ under the terms of the GNU Lesser General Public License as ~ - ~ published by the Free Software Foundation; either version 2.1 of ~ - ~ the License, or (at your option) any later version. ~ - ~ ~ - ~ This software is distributed in the hope that it will be useful, ~ - ~ but WITHOUT ANY WARRANTY; without even the implied warranty of ~ - ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ~ - ~ Lesser General Public License for more details. ~ - ~ ~ - ~ You should have received a copy of the GNU Lesser General Public ~ - ~ License along with this software; if not, write to the Free ~ - ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA ~ + ~ Copyright 2009, Red Hat Middleware, LLC, and individual + ~ contributors as indicated by the @authors tag. See the + ~ copyright.txt in the distribution for a full listing of + ~ individual contributors. + ~ + ~ This is free software; you can redistribute it and/or modify it + ~ under the terms of the GNU Lesser General Public License as + ~ published by the Free Software Foundation; either version 2.1 of + ~ the License, or (at your option) any later version. + ~ + ~ This software is distributed in the hope that it will be useful, + ~ but WITHOUT ANY WARRANTY; without even the implied warranty of + ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + ~ Lesser General Public License for more details. + ~ + ~ You should have received a copy of the GNU Lesser General Public + ~ License along with this software; if not, write to the Free + ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org. ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~--> @@ -152,10 +152,10 @@ <pathelement location="${project.tools}/lib/explode.jar"/> <path refid="apache.ant.classpath"/> </path> - <taskdef - name="explode" - classname="org.jboss.portal.common.ant.Explode" - classpathref="explode.task.classpath"/> + <taskdef + name="explode" + classname="org.jboss.portal.common.ant.Explode" + classpathref="explode.task.classpath"/> </target> <!--+====================================================================+--> @@ -209,11 +209,9 @@ <fileset dir="${jboss/portlet.bridge.lib}" includes="portletbridge-impl.jar"/> <fileset dir="${build.lib}" includes="portal-wsrp-admin-lib.jar"/> <fileset dir="${jboss.portal-faces.root}/lib" includes="portal-faces-lib.jar"/> - <!--<fileset dir="${el.el.lib}" includes="el-api.jar,el-ri.jar"/>--> <fileset dir="${apache.lang.lib}" includes="commons-lang.jar"/> <fileset dir="${apache.beanutils.lib}" includes="commons-beanutils.jar"/> <fileset dir="${apache.digester.lib}" includes="commons-digester.jar"/> - <!--<fileset dir="${commons.el.lib}" includes="commons-el.jar"/>--> </copy> <copy todir="${build.wsrp-admin.war}/WEB-INF/lib"> @@ -225,9 +223,9 @@ <fileset dir="${build.resources}/portal-wsrp-admin-war" includes="**/*"/> </copy> - <copy todir="${build.resources}/portal-wsrp-admin.war"> - <fileset dir="${source.bin}/portal-wsrp-admin-war" includes="**/*"/> - </copy> + <copy todir="${build.resources}/portal-wsrp-admin.war"> + <fileset dir="${source.bin}/portal-wsrp-admin-war" includes="**/*"/> + </copy> <jar jarfile="${build.lib}/portal-wsrp-admin.war"> <fileset dir="${build.resources}/portal-wsrp-admin.war" includes="**/*"/> @@ -240,7 +238,7 @@ dir="${build.resources}/portal-wsrp-admin-sar" tofile="${build.lib}/portal-wsrp-admin.sar"/--> - </target> + </target> <!-- ================================================================== --> <!-- Cleaning --> @@ -291,9 +289,9 @@ <target name="package-other-test" description="Generates the other test artifacts" depends="compile"> <mkdir dir="${build.lib.test}"/> <jar jarfile="${build.lib.test}/test-other-lib.jar"> - <fileset dir="${build.classes}/"> - <include name="org/jboss/portal/test/wsrp/other/*.class"/> - </fileset> + <fileset dir="${build.classes}/"> + <include name="org/jboss/portal/test/wsrp/other/*.class"/> + </fileset> </jar> </target> Modified: branches/Enterprise_Portal_Platform_4_3/wsrp/src/main/org/jboss/portal/test/wsrp/other/WSRPPortletURLTestCase.java =================================================================== --- branches/Enterprise_Portal_Platform_4_3/wsrp/src/main/org/jboss/portal/test/wsrp/other/WSRPPortletURLTestCase.java 2009-04-06 10:58:26 UTC (rev 13160) +++ branches/Enterprise_Portal_Platform_4_3/wsrp/src/main/org/jboss/portal/test/wsrp/other/WSRPPortletURLTestCase.java 2009-04-06 11:19:36 UTC (rev 13161) @@ -101,11 +101,15 @@ public void testDoublyEncodedAmpersand() { String expected = "wsrp_rewrite?wsrp-urlType=render&amp;amp;wsrp-mode=wsrp:help&amp;amp;wsrp-windowState=wsrp:maximized/wsrp_rewrite"; - WSRPPortletURL url = WSRPPortletURL.create(expected); - - assertTrue(url instanceof WSRPRenderURL); - assertEquals(Mode.HELP, url.getMode()); - assertEquals(WindowState.MAXIMIZED, url.getWindowState()); + try + { + WSRPPortletURL.create(expected); + fail("Should have thrown an exception on doubly encoded &!"); + } + catch (Exception e) + { + // expected + } } /** Relax validation and test that we now accept normally invalid URLs. */ Modified: branches/Enterprise_Portal_Platform_4_3/wsrp/src/main/org/jboss/portal/test/wsrp/v1/producer/MarkupTestCase.java =================================================================== --- branches/Enterprise_Portal_Platform_4_3/wsrp/src/main/org/jboss/portal/test/wsrp/v1/producer/MarkupTestCase.java 2009-04-06 10:58:26 UTC (rev 13160) +++ branches/Enterprise_Portal_Platform_4_3/wsrp/src/main/org/jboss/portal/test/wsrp/v1/producer/MarkupTestCase.java 2009-04-06 11:19:36 UTC (rev 13161) @@ -1,6 +1,6 @@ /****************************************************************************** * JBoss, a division of Red Hat * - * Copyright 2006, Red Hat Middleware, LLC, and individual * + * Copyright 2009, Red Hat Middleware, LLC, and individual * * contributors as indicated by the @authors tag. See the * * copyright.txt in the distribution for a full listing of * * individual contributors. * @@ -61,7 +61,7 @@ private static final String DEFAULT_MARKUP_PORTLET_WAR = "test-markup-portlet.war"; public MarkupTestCase() - throws Exception + throws Exception { super("MarkupTestCase", DEFAULT_MARKUP_PORTLET_WAR); } @@ -115,9 +115,9 @@ MarkupResponse response = markupService.getMarkup(getMarkup); - checkMarkupResponse(response, "<form method='post' action='wsrp_rewrite?wsrp-urlType=blockingAction&amp;wsrp" + - "-interactionState=JBPNS_/wsrp_rewrite' id='wsrp_rewrite_portfolioManager'><table><tr><td>Stock symbol</t" + - "d><td><input name='symbol'/></td></tr><tr><td><input type='submit' value='Submit'></td></tr></table></form>"); + checkMarkupResponse(response, "<form method='post' action='wsrp_rewrite?wsrp-urlType=blockingAction&wsrp" + + "-interactionState=JBPNS_/wsrp_rewrite' id='wsrp_rewrite_portfolioManager'><table><tr><td>Stock symbol</t" + + "d><td><input name='symbol'/></td></tr><tr><td><input type='submit' value='Submit'></td></tr></table></form>"); } public void testGetMarkupRenderParameters() throws Exception @@ -155,7 +155,7 @@ // let's see now if we can increment the counter PerformBlockingInteraction performBlockingInteraction = - WSRPTypeFactory.createDefaultPerformBlockingInteraction(getHandleForCurrentlyDeployedArchive()); + WSRPTypeFactory.createDefaultPerformBlockingInteraction(getHandleForCurrentlyDeployedArchive()); InteractionParams interactionParams = performBlockingInteraction.getInteractionParams(); interactionParams.setInteractionState(incrementAction.getInteractionState().getStringValue()); markupService.performBlockingInteraction(performBlockingInteraction); @@ -223,7 +223,7 @@ public void testPerformBlockingInteractionRedirect() throws Exception { PerformBlockingInteraction performBlockingInteraction = - WSRPTypeFactory.createDefaultPerformBlockingInteraction(getDefaultHandle()); + WSRPTypeFactory.createDefaultPerformBlockingInteraction(getDefaultHandle()); InteractionParams interactionParams = performBlockingInteraction.getInteractionParams(); NamedString[] formParams = {new NamedString("symbol", "HELP")}; // crappy way but this is a test! ;) interactionParams.setFormParameters(formParams); @@ -436,8 +436,8 @@ GetMarkup getMarkup = createMarkupRequestForCurrentlyDeployedPortlet(); MarkupResponse response = markupService.getMarkup(getMarkup); - checkMarkupResponse(response, "wsrp_rewrite?wsrp-urlType=blockingAction&amp;wsrp-interactionState=JBPNS_/wsrp_rewrite\n" + - "wsrp_rewrite?wsrp-urlType=render&amp;wsrp-navigationalState=JBPNS_/wsrp_rewrite"); + checkMarkupResponse(response, "wsrp_rewrite?wsrp-urlType=blockingAction&wsrp-interactionState=JBPNS_/wsrp_rewrite\n" + + "wsrp_rewrite?wsrp-urlType=render&wsrp-navigationalState=JBPNS_/wsrp_rewrite"); } finally { @@ -474,7 +474,7 @@ try { PerformBlockingInteraction action = - WSRPTypeFactory.createDefaultPerformBlockingInteraction(getHandleForCurrentlyDeployedArchive()); + WSRPTypeFactory.createDefaultPerformBlockingInteraction(getHandleForCurrentlyDeployedArchive()); action.getInteractionParams().setFormParameters(new NamedString[]{new NamedString("multi", "value1")}); BlockingInteractionResponse actionResponse = markupService.performBlockingInteraction(action); GetMarkup markupRequest = createMarkupRequestForCurrentlyDeployedPortlet(); @@ -483,7 +483,7 @@ checkMarkupResponse(response, "multi: value1"); action.getInteractionParams().setFormParameters(new NamedString[]{ - new NamedString("multi", "value1"), new NamedString("multi", "value2")}); + new NamedString("multi", "value1"), new NamedString("multi", "value2")}); actionResponse = markupService.performBlockingInteraction(action); markupRequest = createMarkupRequestForCurrentlyDeployedPortlet(); markupRequest.getMarkupParams().setNavigationalState(actionResponse.getUpdateResponse().getNavigationalState()); @@ -685,7 +685,7 @@ private String checkPBIAndGetNavigationalState(String symbol) throws Exception { PerformBlockingInteraction performBlockingInteraction = - WSRPTypeFactory.createDefaultPerformBlockingInteraction(getDefaultHandle()); + WSRPTypeFactory.createDefaultPerformBlockingInteraction(getDefaultHandle()); InteractionParams interactionParams = performBlockingInteraction.getInteractionParams(); NamedString[] formParams = {new NamedString("symbol", symbol)}; interactionParams.setFormParameters(formParams); @@ -722,7 +722,7 @@ ExtendedAssert.assertNotNull(markupContext); String markupString = markupContext.getMarkupString(); ExtendedAssert.assertString1ContainsString2(markupString, "count = " + count); - ExtendedAssert.assertString1ContainsString2(markupString, "<a href='wsrp_rewrite?wsrp-urlType=render&amp;wsrp-navigationalState=JBPNS_/wsrp_rewrite'>render</a>"); + ExtendedAssert.assertString1ContainsString2(markupString, "<a href='wsrp_rewrite?wsrp-urlType=render&wsrp-navigationalState=JBPNS_/wsrp_rewrite'>render</a>"); // checking session checkSessionForCurrentlyDeployedPortlet(response); Modified: branches/Enterprise_Portal_Platform_4_3/wsrp/src/main/org/jboss/portal/wsrp/WSRPPortletURL.java =================================================================== --- branches/Enterprise_Portal_Platform_4_3/wsrp/src/main/org/jboss/portal/wsrp/WSRPPortletURL.java 2009-04-06 10:58:26 UTC (rev 13160) +++ branches/Enterprise_Portal_Platform_4_3/wsrp/src/main/org/jboss/portal/wsrp/WSRPPortletURL.java 2009-04-06 11:19:36 UTC (rev 13161) @@ -51,20 +51,23 @@ private static final Logger log = Logger.getLogger(WSRPPortletURL.class); private static final String EQUALS = "="; - private static final String AMPERSAND = "&amp;"; + + private static final String ENCODED_AMPERSAND = "&amp;"; + private static final String AMPERSAND = "&"; + private static final String AMP_AMP = "&amp;amp;"; + private static final String PARAM_SEPARATOR = "|"; private static final int URL_TYPE_END = WSRPRewritingConstants.URL_TYPE_NAME.length() + EQUALS.length(); + private boolean secure; - private boolean secure; private Mode mode; + private WindowState windowState; /** Are we using strict rewriting parameters validation mode? */ private static boolean strict = true; - /** Holds extra parameters if we are in relaxed validation mode */ private Map<String, String> extraParams; - /** Remember position of extra parameters wrt end token */ private boolean extraParamsAfterEndToken = false; @@ -173,9 +176,12 @@ } // standardize parameter separators - encodedURL = Tools.replace(encodedURL, "&amp;amp;", PARAM_SEPARATOR); // sanitize doubly encoded &amp; fix-me: should be removed? + if (encodedURL.contains(AMP_AMP)) + { + throw new IllegalArgumentException(encodedURL + " contains a doubly encoded &!"); + } + encodedURL = Tools.replace(encodedURL, ENCODED_AMPERSAND, PARAM_SEPARATOR); encodedURL = Tools.replace(encodedURL, AMPERSAND, PARAM_SEPARATOR); - encodedURL = Tools.replace(encodedURL, "&", PARAM_SEPARATOR); // this second shouldn't be used but in case it is... // remove url type param name and extract value encodedURL = encodedURL.substring(URL_TYPE_END);