You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@cocoon.apache.org by jo...@apache.org on 2003/10/22 13:47:51 UTC
cvs commit: cocoon-2.2/src/webapp/samples/hello-world/style/xsl page2itext.xsl page2swf.xsl page2xls.xsl
joerg 2003/10/22 04:47:51
Modified: src/webapp/samples sitemap.xmap
src/webapp/samples/common/style/xsl/html
simple-page2html.xsl
src/webapp/samples/hello-world/style/xsl page2itext.xsl
page2swf.xsl page2xls.xsl
Log:
fixing bug 23949: security issue through view-source?filename=../../WEB-INF/web.xml in default installation with samples
Revision Changes Path
1.16 +17 -9 cocoon-2.2/src/webapp/samples/sitemap.xmap
Index: sitemap.xmap
===================================================================
RCS file: /home/cvs/cocoon-2.2/src/webapp/samples/sitemap.xmap,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- sitemap.xmap 7 Sep 2003 06:16:41 -0000 1.15
+++ sitemap.xmap 22 Oct 2003 11:47:50 -0000 1.16
@@ -102,14 +102,9 @@
<!-- ========================= Utilities ================================ -->
- <map:match pattern="view-source">
- <!-- colourize files that are known to be XML -->
- <map:match type="filename" pattern="((xml)|(xsp)|(xmap)|(xconf))$">
- <map:generate src="common/view-source.xsp" type="serverpages"/>
- <map:serialize/>
- </map:match>
- <!-- all other files are just send as text -->
- <map:read mime-type="text/plain" src="../{request-param:filename}"/>
+ <map:match pattern="**sitemap.xmap">
+ <map:generate src="{0}"/>
+ <map:serialize type="xml"/>
</map:match>
<map:match pattern="linkstatus">
@@ -163,5 +158,18 @@
</map:match>
</map:pipeline>
+
+ <map:pipeline internal-only="true">
+ <map:match pattern="view-source">
+ <!-- colourize files that are known to be XML -->
+ <map:match type="filename" pattern="((xml)|(xsp)|(xmap)|(xconf))$">
+ <map:generate src="common/view-source.xsp" type="serverpages"/>
+ <map:serialize/>
+ </map:match>
+ <!-- all other files are just send as text -->
+ <map:read mime-type="text/plain" src="../{request-param:filename}"/>
+ </map:match>
+ </map:pipeline>
+
</map:pipelines>
</map:sitemap>
1.6 +9 -21 cocoon-2.2/src/webapp/samples/common/style/xsl/html/simple-page2html.xsl
Index: simple-page2html.xsl
===================================================================
RCS file: /home/cvs/cocoon-2.2/src/webapp/samples/common/style/xsl/html/simple-page2html.xsl,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- simple-page2html.xsl 20 May 2003 00:50:54 -0000 1.5
+++ simple-page2html.xsl 22 Oct 2003 11:47:51 -0000 1.6
@@ -2,24 +2,10 @@
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+ <xsl:param name="contextPath" select="string('/cocoon')"/>
<xsl:param name="servletPath" select="string('/samples')"/>
<xsl:param name="sitemapURI"/>
- <xsl:param name="file"/><!-- relative path to file or file suffix -->
- <xsl:param name="remove"/><!-- path to remove from servletPath -->
- <xsl:param name="contextPath" select="string('/cocoon')"/>
- <xsl:variable name="realpath">
- <xsl:choose>
- <xsl:when test="$remove=''">
- <xsl:value-of select="$servletPath"/>
- </xsl:when>
- <xsl:otherwise>
- <xsl:value-of select="substring-before($servletPath,$remove)"/>
- </xsl:otherwise>
- </xsl:choose>
- </xsl:variable>
- <xsl:variable name="path" select="concat($contextPath,'/samples/view-source?filename=')"/>
- <xsl:variable name="view-source" select="concat($realpath,$file)"/>
<xsl:variable name="directory" select="substring-before($servletPath,$sitemapURI)"/>
<!-- assume that sitemapURIs don't occur in servletPath more than once -->
<xsl:variable name="sitemap" select="concat($directory,'sitemap.xmap')"/>
@@ -44,29 +30,31 @@
<tr>
<td width="90%"> </td>
<td nowrap="nowrap">
- <a target="_blank" href="{concat($contextPath,$servletPath,'?cocoon-view=content')}">Content View</a>
+ <a href="?cocoon-view=content">Content View</a>
</td>
<td nowrap="nowrap">
- <a target="_blank" href="{concat($path,$view-source)}">Source</a>
+ <a href="?cocoon-view=pretty-content">Source</a>
</td>
<td nowrap="nowrap">
- <a target="_blank" href="{concat($path,$sitemap)}">Sitemap</a>
+ <a href="{$sitemap}?cocoon-view=pretty-content">Sitemap</a>
</td>
<xsl:for-each select="resources/resource">
<td class="{@type}">
<xsl:choose>
<xsl:when test="@type='file'">
- <a target="_blank" href="{concat($path,$directory,@href)}">
+ <a href="{@href}">
+ <!-- we need an explicite match in the sitemap showing
+ the source of these resources -->
<xsl:apply-templates/>
</a>
</xsl:when>
<xsl:when test="@type='doc'">
- <a target="_blank" href="{concat($contextPath,'/docs/',@href)}">
+ <a href="{concat($contextPath,'/docs/',@href)}">
<xsl:apply-templates/>
</a>
</xsl:when>
<xsl:otherwise>
- <a target="_blank" href="{concat($contextPath,'/',@href)}">
+ <a href="{concat($contextPath,'/',@href)}">
<xsl:apply-templates/>
</a>
</xsl:otherwise>
1.3 +1 -3 cocoon-2.2/src/webapp/samples/hello-world/style/xsl/page2itext.xsl
Index: page2itext.xsl
===================================================================
RCS file: /home/cvs/cocoon-2.2/src/webapp/samples/hello-world/style/xsl/page2itext.xsl,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- page2itext.xsl 7 May 2003 04:57:13 -0000 1.2
+++ page2itext.xsl 22 Oct 2003 11:47:51 -0000 1.3
@@ -4,8 +4,6 @@
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
- <xsl:param name="view-source"/>
-
<xsl:template match="page">
<itext>
<paragraph size="18" align="Center">
1.6 +1 -3 cocoon-2.2/src/webapp/samples/hello-world/style/xsl/page2swf.xsl
Index: page2swf.xsl
===================================================================
RCS file: /home/cvs/cocoon-2.2/src/webapp/samples/hello-world/style/xsl/page2swf.xsl,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- page2swf.xsl 8 May 2003 00:22:38 -0000 1.5
+++ page2swf.xsl 22 Oct 2003 11:47:51 -0000 1.6
@@ -16,8 +16,6 @@
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-<xsl:param name="view-source"/>
-
<xsl:template match="page">
<SWF version="5" framerate="12.0" width="320.0" height="240.0">
<RawData type="9">//// </RawData>
1.3 +1 -3 cocoon-2.2/src/webapp/samples/hello-world/style/xsl/page2xls.xsl
Index: page2xls.xsl
===================================================================
RCS file: /home/cvs/cocoon-2.2/src/webapp/samples/hello-world/style/xsl/page2xls.xsl,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- page2xls.xsl 7 May 2003 04:57:13 -0000 1.2
+++ page2xls.xsl 22 Oct 2003 11:47:51 -0000 1.3
@@ -6,8 +6,6 @@
xmlns:sql="http://apache.org/cocoon/SQL/2.0"
xmlns:gmr="http://www.gnome.org/gnumeric/v7" >
- <xsl:param name="view-source"/>
-
<xsl:template match="page">
<gmr:Workbook xmlns:gmr="http://www.gnome.org/gnumeric/v7">
<gmr:Sheets>