You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@rave.apache.org by ja...@apache.org on 2011/08/23 14:02:51 UTC
svn commit: r1160644 - in /incubator/rave/trunk/rave-portal/src:
main/java/org/apache/rave/portal/web/validator/NewAccountValidator.java
main/resources/messages.properties
test/java/org/apache/rave/portal/web/validator/NewAccountValidatorTest.java
Author: jasha
Date: Tue Aug 23 12:02:50 2011
New Revision: 1160644
URL: http://svn.apache.org/viewvc?rev=1160644&view=rev
Log:
RAVE-123 restrict user name characters (to prevent certain vulnerabilities)
Modified:
incubator/rave/trunk/rave-portal/src/main/java/org/apache/rave/portal/web/validator/NewAccountValidator.java
incubator/rave/trunk/rave-portal/src/main/resources/messages.properties
incubator/rave/trunk/rave-portal/src/test/java/org/apache/rave/portal/web/validator/NewAccountValidatorTest.java
Modified: incubator/rave/trunk/rave-portal/src/main/java/org/apache/rave/portal/web/validator/NewAccountValidator.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-portal/src/main/java/org/apache/rave/portal/web/validator/NewAccountValidator.java?rev=1160644&r1=1160643&r2=1160644&view=diff
==============================================================================
--- incubator/rave/trunk/rave-portal/src/main/java/org/apache/rave/portal/web/validator/NewAccountValidator.java (original)
+++ incubator/rave/trunk/rave-portal/src/main/java/org/apache/rave/portal/web/validator/NewAccountValidator.java Tue Aug 23 12:02:50 2011
@@ -33,6 +33,7 @@ public class NewAccountValidator impleme
private final Logger logger = LoggerFactory.getLogger(getClass());
+ private static final String USERNAME_PATTERN = "[\\w\\+\\-\\.@]{2,}";
private UserService userService;
@Autowired
@@ -49,20 +50,20 @@ public class NewAccountValidator impleme
NewUser newUser = (NewUser) obj;
//check if the username is null or empty
- if (StringUtils.isBlank(newUser.getUsername())) {
+ final String username = newUser.getUsername();
+ if (StringUtils.isBlank(username)) {
errors.rejectValue("username", "username.required");
logger.info("Username required");
}
- //check if username length is less than 2
- else if (newUser.getUsername().length() < 2) {
- errors.rejectValue("username", "username.invalid.length");
+ // at least 2 characters of the following: a-z A-Z 0-9 _ - + . @
+ else if (!username.matches(USERNAME_PATTERN)) {
+ errors.rejectValue("username", "username.invalid.pattern");
logger.info("Username must be atleast 2 characters long");
}
//check if username is already in use
-
- else if (userService.getUserByUsername(newUser.getUsername()) != null) {
+ else if (userService.getUserByUsername(username) != null) {
errors.rejectValue("username", "username.exits");
logger.info("Username already exists");
}
Modified: incubator/rave/trunk/rave-portal/src/main/resources/messages.properties
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-portal/src/main/resources/messages.properties?rev=1160644&r1=1160643&r2=1160644&view=diff
==============================================================================
--- incubator/rave/trunk/rave-portal/src/main/resources/messages.properties (original)
+++ incubator/rave/trunk/rave-portal/src/main/resources/messages.properties Tue Aug 23 12:02:50 2011
@@ -19,6 +19,8 @@
username.required=Username required
username.invalid.length=Username must be atleast 2 characters long
+username.invalid.pattern=Username must be at least 2 characters long and may only contain letters, numbers, \
+ _-+.@
username.exits=Username already exists
password.required=Password required
Modified: incubator/rave/trunk/rave-portal/src/test/java/org/apache/rave/portal/web/validator/NewAccountValidatorTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-portal/src/test/java/org/apache/rave/portal/web/validator/NewAccountValidatorTest.java?rev=1160644&r1=1160643&r2=1160644&view=diff
==============================================================================
--- incubator/rave/trunk/rave-portal/src/test/java/org/apache/rave/portal/web/validator/NewAccountValidatorTest.java (original)
+++ incubator/rave/trunk/rave-portal/src/test/java/org/apache/rave/portal/web/validator/NewAccountValidatorTest.java Tue Aug 23 12:02:50 2011
@@ -127,6 +127,24 @@ public class NewAccountValidatorTest {
}
@Test
+ public void testValidationFailsOnIllegalCharacters() throws Exception {
+ NewUser newUser = new NewUser();
+ final String badUsername = "x'; DROP TABLE members; --";
+ newUser.setUsername(badUsername);
+ newUser.setPassword(VALID_PASSWORD);
+ newUser.setConfirmPassword(VALID_PASSWORD);
+ newUser.setPageLayout(VALID_PAGELAYOUT);
+ Errors errors = new BindException(newUser, NEW_USER);
+ expect(mockUserService.getUserByUsername(badUsername)).andReturn(null);
+ replay(mockUserService);
+
+ newAccountValidator.validate(newUser, errors);
+
+ assertTrue("Validation errors", errors.hasErrors());
+ assertNotNull(errors.getFieldError(FIELD_USERNAME));
+ }
+
+ @Test
public void testValidationFailsOnShortPassword() throws Exception {
NewUser newUser = new NewUser();
newUser.setUsername(VALID_NAME);