portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tay...@apache.org
Subject svn commit: r1726733 - in /portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed: container/url/impl/AbstractPortalURL.java services/rest/AbstractRestService.java services/rest/UserManagerService.java
Date Tue, 26 Jan 2016 05:57:48 GMT
Author: taylor
Date: Tue Jan 26 05:57:48 2016
New Revision: 1726733

URL: http://svn.apache.org/viewvc?rev=1726733&view=rev
Log:
further tightening security around new user manager service for sql injections 

Modified:
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/container/url/impl/AbstractPortalURL.java
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java

Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/container/url/impl/AbstractPortalURL.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/container/url/impl/AbstractPortalURL.java?rev=1726733&r1=1726732&r2=1726733&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/container/url/impl/AbstractPortalURL.java
(original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/container/url/impl/AbstractPortalURL.java
Tue Jan 26 05:57:48 2016
@@ -234,7 +234,9 @@ public abstract class AbstractPortalURL
 
     protected void setPath(String path)
     {
-        this.path = path.replaceAll("['\"]", ""); // remove any escaped scripts from URL
(seems to only effect Firefox browser)
+        if (path != null) {
+            this.path = path.replaceAll("['\"]", ""); // remove any escaped scripts from
URL (seems to only effect Firefox browser)
+        }
     }
 
     public String getBaseURL()

Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java?rev=1726733&r1=1726732&r2=1726733&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java
(original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java
Tue Jan 26 05:57:48 2016
@@ -23,8 +23,6 @@ import org.apache.jetspeed.services.bean
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response;
-import java.util.ArrayList;
-import java.util.List;
 
 /**
  * Created by dtaylor on 5/2/15.
@@ -49,22 +47,4 @@ public class AbstractRestService {
         }
     }
 
-    protected String stripSQLInjection(String in) {
-        if (in == null) {
-            return null;
-        }
-        return in.replaceAll("['\"]", "");
-    }
-
-    protected List<String> stripSQLInjection(List<String> in) {
-        if (in == null) {
-            return null;
-        }
-        ArrayList<String> out = new ArrayList<>();
-        for (String s : in) {
-            out.add(stripSQLInjection(s));
-        }
-        return out;
-    }
-
 }

Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java?rev=1726733&r1=1726732&r2=1726733&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java
(original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java
Tue Jan 26 05:57:48 2016
@@ -118,13 +118,6 @@ public class UserManagerService extends
     {
         checkPrivilege(servletRequest, JetspeedActions.VIEW);
 
-        userName = stripSQLInjection(userName);
-        sortDirection = stripSQLInjection(sortDirection);
-        roles = stripSQLInjection(roles);
-        groups = stripSQLInjection(groups);
-        attributeKeys = stripSQLInjection(attributeKeys);
-        attributeValues = stripSQLInjection(attributeValues);
-
         Map<String, String> attributeMap = null;
         
         if (attributeKeys != null && attributeKeys.size() > 0 && attributeKeys.size()
== attributeValues.size())



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message