portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From woon...@apache.org
Subject svn commit: r1728113 - /portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/PageManagementService.java
Date Tue, 02 Feb 2016 13:13:18 GMT
Author: woonsan
Date: Tue Feb  2 13:13:18 2016
New Revision: 1728113

URL: http://svn.apache.org/viewvc?rev=1728113&view=rev
Log:
remove javascript: portion in url input if any for security reason.

Modified:
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/PageManagementService.java

Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/PageManagementService.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/PageManagementService.java?rev=1728113&r1=1728112&r2=1728113&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/PageManagementService.java
(original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/PageManagementService.java
Tue Feb  2 13:13:18 2016
@@ -33,8 +33,8 @@ import javax.ws.rs.PathParam;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.PathSegment;
-import javax.ws.rs.core.UriInfo;
 import javax.ws.rs.core.Response.Status;
+import javax.ws.rs.core.UriInfo;
 
 import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.lang.StringUtils;
@@ -300,6 +300,14 @@ public class PageManagementService
                                    @FormParam("url") String url)
     {
         RequestContext requestContext = (RequestContext) servletRequest.getAttribute(RequestContext.REQUEST_PORTALENV);
+
+        // For security reason, strip off any part in URL having 'javascript:'.
+        int offset = StringUtils.indexOfIgnoreCase(url, "javascript:");
+        if (offset != -1) {
+            log.warn("A url having javascript: protocol was stripped off: '{}'.", url);
+            url = url.substring(0, offset);
+        }
+
         String path = PathSegmentUtils.joinWithPrefix(pathSegments, "/", "/");
         
         try



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message