Author: pete.muir(a)jboss.org
Date: 2008-05-07 07:21:57 -0400 (Wed, 07 May 2008)
New Revision: 8122
Added:
branches/Seam_2_0/ui/src/main/java/org/jboss/seam/ui/resource/SafeStyleResources.java
trunk/ui/src/main/java/org/jboss/seam/ui/resource/SafeStyleResources.java
Modified:
branches/Seam_2_0/ui/src/main/java/org/jboss/seam/ui/component/UILoadStyle.java
branches/Seam_2_0/ui/src/main/java/org/jboss/seam/ui/resource/StyleResource.java
trunk/ui/src/main/java/org/jboss/seam/ui/component/UILoadStyle.java
trunk/ui/src/main/java/org/jboss/seam/ui/resource/StyleResource.java
Log:
JBSEAM-2942
Modified: branches/Seam_2_0/ui/src/main/java/org/jboss/seam/ui/component/UILoadStyle.java
===================================================================
---
branches/Seam_2_0/ui/src/main/java/org/jboss/seam/ui/component/UILoadStyle.java 2008-05-07
05:27:11 UTC (rev 8121)
+++
branches/Seam_2_0/ui/src/main/java/org/jboss/seam/ui/component/UILoadStyle.java 2008-05-07
11:21:57 UTC (rev 8122)
@@ -9,6 +9,7 @@
import org.ajax4jsf.component.html.HtmlLoadStyle;
import org.jboss.seam.navigation.Pages;
+import org.jboss.seam.ui.resource.SafeStyleResources;
import org.jboss.seam.ui.resource.StyleResource;
import org.jboss.seam.ui.util.UrlBuilder;
import org.jboss.seam.util.Reflections;
@@ -22,9 +23,11 @@
UIConversationId uiConversationId = UIConversationId.newInstance();
uiConversationId.setViewId(Pages.getViewId(getFacesContext()));
+ String src = super.getSrc() != null ? super.getSrc().toString() : null;
+ SafeStyleResources.instance().addSafeStyleResource(src);
try
{
- UrlBuilder urlBuilder = new UrlBuilder(StyleResource.WEB_RESOURCE_PATH +
super.getSrc(), null,
FacesContext.getCurrentInstance().getResponseWriter().getCharacterEncoding());
+ UrlBuilder urlBuilder = new UrlBuilder(StyleResource.WEB_RESOURCE_PATH + src,
null, FacesContext.getCurrentInstance().getResponseWriter().getCharacterEncoding());
urlBuilder.addParameter(uiConversationId);
if (isIsolated())
{
Added:
branches/Seam_2_0/ui/src/main/java/org/jboss/seam/ui/resource/SafeStyleResources.java
===================================================================
--- branches/Seam_2_0/ui/src/main/java/org/jboss/seam/ui/resource/SafeStyleResources.java
(rev 0)
+++
branches/Seam_2_0/ui/src/main/java/org/jboss/seam/ui/resource/SafeStyleResources.java 2008-05-07
11:21:57 UTC (rev 8122)
@@ -0,0 +1,51 @@
+package org.jboss.seam.ui.resource;
+
+import static org.jboss.seam.ScopeType.APPLICATION;
+import static org.jboss.seam.annotations.Install.BUILT_IN;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.jboss.seam.Component;
+import org.jboss.seam.annotations.Install;
+import org.jboss.seam.annotations.Name;
+import org.jboss.seam.annotations.Scope;
+import org.jboss.seam.annotations.intercept.BypassInterceptors;
+import org.jboss.seam.contexts.Contexts;
+
+@Scope(APPLICATION)
+(a)Name("org.jboss.seam.ui.resource.safeStyleResources")
+@BypassInterceptors
+@Install(precedence = BUILT_IN)
+public class SafeStyleResources
+{
+
+ private Set<String> safeStyleResources = new HashSet<String>();
+
+ public void addSafeStyleResource(String path)
+ {
+ this.safeStyleResources.add(path);
+ }
+
+ public boolean isStyleResourceSafe(String path)
+ {
+ if (safeStyleResources.contains(path))
+ {
+ return true;
+ }
+ else
+ {
+ return false;
+ }
+ }
+
+ public static SafeStyleResources instance()
+ {
+ if ( !Contexts.isApplicationContextActive() )
+ {
+ throw new IllegalStateException("No active application context");
+ }
+ return (SafeStyleResources) (Component.getInstance(SafeStyleResources.class));
+ }
+
+}
Property changes on:
branches/Seam_2_0/ui/src/main/java/org/jboss/seam/ui/resource/SafeStyleResources.java
___________________________________________________________________
Name: svn:mime-type
+ text/plain
Modified:
branches/Seam_2_0/ui/src/main/java/org/jboss/seam/ui/resource/StyleResource.java
===================================================================
---
branches/Seam_2_0/ui/src/main/java/org/jboss/seam/ui/resource/StyleResource.java 2008-05-07
05:27:11 UTC (rev 8121)
+++
branches/Seam_2_0/ui/src/main/java/org/jboss/seam/ui/resource/StyleResource.java 2008-05-07
11:21:57 UTC (rev 8122)
@@ -19,6 +19,9 @@
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.annotations.intercept.BypassInterceptors;
import org.jboss.seam.core.Expressions;
+import org.jboss.seam.log.Log;
+import org.jboss.seam.log.LogProvider;
+import org.jboss.seam.log.Logging;
import org.jboss.seam.servlet.ContextualHttpServletRequest;
import org.jboss.seam.util.Resources;
import org.jboss.seam.web.AbstractResource;
@@ -35,6 +38,8 @@
@BypassInterceptors
public class StyleResource extends AbstractResource
{
+
+ private LogProvider log = Logging.getLogProvider(StyleResource.class);
private static final Pattern EL_PATTERN = Pattern.compile("#" +
Pattern.quote("{") + "(.*)"
+ Pattern.quote("}"));
@@ -65,6 +70,12 @@
throws IOException
{
String pathInfo = request.getPathInfo().substring(getResourcePath().length());
+ if (!SafeStyleResources.instance().isStyleResourceSafe(pathInfo))
+ {
+ log.warn(pathInfo + " isn't recognized as a valid stylesheet");
+ response.sendError(HttpServletResponse.SC_NOT_FOUND);
+ return;
+ }
InputStream in = Resources.getResourceAsStream( pathInfo, getServletContext() );
if (in != null)
Modified: trunk/ui/src/main/java/org/jboss/seam/ui/component/UILoadStyle.java
===================================================================
--- trunk/ui/src/main/java/org/jboss/seam/ui/component/UILoadStyle.java 2008-05-07
05:27:11 UTC (rev 8121)
+++ trunk/ui/src/main/java/org/jboss/seam/ui/component/UILoadStyle.java 2008-05-07
11:21:57 UTC (rev 8122)
@@ -9,6 +9,7 @@
import org.ajax4jsf.component.html.HtmlLoadStyle;
import org.jboss.seam.navigation.Pages;
+import org.jboss.seam.ui.resource.SafeStyleResources;
import org.jboss.seam.ui.resource.StyleResource;
import org.jboss.seam.ui.util.UrlBuilder;
import org.jboss.seam.util.Reflections;
@@ -22,9 +23,11 @@
UIConversationId uiConversationId = UIConversationId.newInstance();
uiConversationId.setViewId(Pages.getViewId(getFacesContext()));
+ String src = super.getSrc() != null ? super.getSrc().toString() : null;
+ SafeStyleResources.instance().addSafeStyleResource(src);
try
{
- UrlBuilder urlBuilder = new UrlBuilder(StyleResource.WEB_RESOURCE_PATH +
super.getSrc(), null,
FacesContext.getCurrentInstance().getResponseWriter().getCharacterEncoding());
+ UrlBuilder urlBuilder = new UrlBuilder(StyleResource.WEB_RESOURCE_PATH + src,
null, FacesContext.getCurrentInstance().getResponseWriter().getCharacterEncoding());
urlBuilder.addParameter(uiConversationId);
if (isIsolated())
{
Added: trunk/ui/src/main/java/org/jboss/seam/ui/resource/SafeStyleResources.java
===================================================================
--- trunk/ui/src/main/java/org/jboss/seam/ui/resource/SafeStyleResources.java
(rev 0)
+++ trunk/ui/src/main/java/org/jboss/seam/ui/resource/SafeStyleResources.java 2008-05-07
11:21:57 UTC (rev 8122)
@@ -0,0 +1,51 @@
+package org.jboss.seam.ui.resource;
+
+import static org.jboss.seam.ScopeType.APPLICATION;
+import static org.jboss.seam.annotations.Install.BUILT_IN;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.jboss.seam.Component;
+import org.jboss.seam.annotations.Install;
+import org.jboss.seam.annotations.Name;
+import org.jboss.seam.annotations.Scope;
+import org.jboss.seam.annotations.intercept.BypassInterceptors;
+import org.jboss.seam.contexts.Contexts;
+
+@Scope(APPLICATION)
+(a)Name("org.jboss.seam.ui.resource.safeStyleResources")
+@BypassInterceptors
+@Install(precedence = BUILT_IN)
+public class SafeStyleResources
+{
+
+ private Set<String> safeStyleResources = new HashSet<String>();
+
+ public void addSafeStyleResource(String path)
+ {
+ this.safeStyleResources.add(path);
+ }
+
+ public boolean isStyleResourceSafe(String path)
+ {
+ if (safeStyleResources.contains(path))
+ {
+ return true;
+ }
+ else
+ {
+ return false;
+ }
+ }
+
+ public static SafeStyleResources instance()
+ {
+ if ( !Contexts.isApplicationContextActive() )
+ {
+ throw new IllegalStateException("No active application context");
+ }
+ return (SafeStyleResources) (Component.getInstance(SafeStyleResources.class));
+ }
+
+}
Property changes on:
trunk/ui/src/main/java/org/jboss/seam/ui/resource/SafeStyleResources.java
___________________________________________________________________
Name: svn:mime-type
+ text/plain
Modified: trunk/ui/src/main/java/org/jboss/seam/ui/resource/StyleResource.java
===================================================================
--- trunk/ui/src/main/java/org/jboss/seam/ui/resource/StyleResource.java 2008-05-07
05:27:11 UTC (rev 8121)
+++ trunk/ui/src/main/java/org/jboss/seam/ui/resource/StyleResource.java 2008-05-07
11:21:57 UTC (rev 8122)
@@ -19,6 +19,9 @@
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.annotations.intercept.BypassInterceptors;
import org.jboss.seam.core.Expressions;
+import org.jboss.seam.log.Log;
+import org.jboss.seam.log.LogProvider;
+import org.jboss.seam.log.Logging;
import org.jboss.seam.servlet.ContextualHttpServletRequest;
import org.jboss.seam.util.Resources;
import org.jboss.seam.web.AbstractResource;
@@ -35,6 +38,8 @@
@BypassInterceptors
public class StyleResource extends AbstractResource
{
+
+ private LogProvider log = Logging.getLogProvider(StyleResource.class);
private static final Pattern EL_PATTERN = Pattern.compile("#" +
Pattern.quote("{") + "(.*)"
+ Pattern.quote("}"));
@@ -65,6 +70,12 @@
throws IOException
{
String pathInfo = request.getPathInfo().substring(getResourcePath().length());
+ if (!SafeStyleResources.instance().isStyleResourceSafe(pathInfo))
+ {
+ log.warn(pathInfo + " isn't recognized as a valid stylesheet");
+ response.sendError(HttpServletResponse.SC_NOT_FOUND);
+ return;
+ }
InputStream in = Resources.getResourceAsStream( pathInfo, getServletContext() );
if (in != null)
Show replies by date