You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by jb...@apache.org on 2009/03/25 14:39:49 UTC
svn commit: r758252 [2/2] - in /geronimo/server/branches/2.1.4:
framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/
framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/util/
framework/modules/ge...
Modified: geronimo/server/branches/2.1.4/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditGraph.jsp
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1.4/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditGraph.jsp?rev=758252&r1=758251&r2=758252&view=diff
==============================================================================
--- geronimo/server/branches/2.1.4/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditGraph.jsp (original)
+++ geronimo/server/branches/2.1.4/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditGraph.jsp Wed Mar 25 13:39:24 2009
@@ -508,7 +508,7 @@
<tr>
<td><fmt:message key="monitor.common.desc"/>:</td>
<td> </td>
- <td align="right"><textarea rows="5" cols="50" name="description"><%=description%></textarea></td>
+ <td align="right"><textarea rows="5" cols="50" name="minxss_description"><%=description%></textarea></td>
<td></td>
</tr>
<tr>
Modified: geronimo/server/branches/2.1.4/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1.4/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp?rev=758252&r1=758251&r2=758252&view=diff
==============================================================================
--- geronimo/server/branches/2.1.4/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp (original)
+++ geronimo/server/branches/2.1.4/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp Wed Mar 25 13:39:24 2009
@@ -73,7 +73,7 @@
}
function validate() {
if (! (document.editView.name.value
- && document.editView.description.value ))
+ && document.editView.minxss_description.value ))
{
alert("Name and Description are required fields");
return false;
@@ -128,7 +128,7 @@
<tr>
<td><fmt:message key="monitor.common.desc"/>:</td>
<td> </td>
- <td align="right"><textarea rows="5" cols="50" name="description"><%=description%></textarea></td>
+ <td align="right"><textarea rows="5" cols="50" name="minxss_description"><%=description%></textarea></td>
</tr>
<tr>
<td valign="top"><fmt:message key="monitor.common.graph"/>:</td>
Modified: geronimo/server/branches/2.1.4/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1.4/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/web.xml?rev=758252&r1=758251&r2=758252&view=diff
==============================================================================
--- geronimo/server/branches/2.1.4/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/web.xml (original)
+++ geronimo/server/branches/2.1.4/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/web.xml Wed Mar 25 13:39:24 2009
@@ -19,6 +19,23 @@
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
+ <!-- XSS/XSRF filter -->
+ <filter>
+ <filter-name>XSSXSRFFilter</filter-name>
+ <filter-class>org.apache.geronimo.console.filter.XSSXSRFFilter</filter-class>
+ <init-param>
+ <param-name>enableXSRF</param-name>
+ <param-value>false</param-value>
+ </init-param>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSXSRFFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+ <listener>
+ <listener-class>org.apache.geronimo.console.filter.XSSXSRFFilter</listener-class>
+ </listener>
+
<servlet>
<servlet-name>monitoring</servlet-name>
<servlet-class>org.apache.pluto.core.PortletServlet</servlet-class>
Modified: geronimo/server/branches/2.1.4/plugins/system-database/sysdb-portlets/src/main/java/org/apache/geronimo/console/internaldb/RunSQLHelper.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1.4/plugins/system-database/sysdb-portlets/src/main/java/org/apache/geronimo/console/internaldb/RunSQLHelper.java?rev=758252&r1=758251&r2=758252&view=diff
==============================================================================
--- geronimo/server/branches/2.1.4/plugins/system-database/sysdb-portlets/src/main/java/org/apache/geronimo/console/internaldb/RunSQLHelper.java (original)
+++ geronimo/server/branches/2.1.4/plugins/system-database/sysdb-portlets/src/main/java/org/apache/geronimo/console/internaldb/RunSQLHelper.java Wed Mar 25 13:39:24 2009
@@ -25,6 +25,8 @@
import java.sql.SQLException;
import java.sql.Statement;
+import org.apache.geronimo.kernel.util.InputUtils;
+
public class RunSQLHelper {
private final static Log log = LogFactory.getLog(RunSQLHelper.class);
@@ -46,6 +48,10 @@
private static final String BAK_PREFIX = "BAK_";
public String createDB(String dbName) {
+
+ // ensure there are no illegal chars in DB name
+ InputUtils.validateSafeInput(dbName);
+
String result = DB_CREATED_MSG + ": " + dbName;
Connection conn = null;
Modified: geronimo/server/branches/2.1.4/plugins/system-database/sysdb-portlets/src/main/webapp/WEB-INF/view/internaldb/runSQLNormal.jsp
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1.4/plugins/system-database/sysdb-portlets/src/main/webapp/WEB-INF/view/internaldb/runSQLNormal.jsp?rev=758252&r1=758251&r2=758252&view=diff
==============================================================================
--- geronimo/server/branches/2.1.4/plugins/system-database/sysdb-portlets/src/main/webapp/WEB-INF/view/internaldb/runSQLNormal.jsp (original)
+++ geronimo/server/branches/2.1.4/plugins/system-database/sysdb-portlets/src/main/webapp/WEB-INF/view/internaldb/runSQLNormal.jsp Wed Mar 25 13:39:24 2009
@@ -28,9 +28,16 @@
var <portlet:namespace/>requiredFields2 = new Array("sqlStmts");
function <portlet:namespace/>validateForm1(){
+ var illegalChars= /[\.]{2}|[()<>,;:\\/"'\|]/ ;
var action = document.forms[<portlet:namespace/>formName].elements['action'];
action.value="Create";
- return textElementsNotEmpty(<portlet:namespace/>formName, <portlet:namespace/>requiredFields);
+ if (!textElementsNotEmpty(<portlet:namespace/>formName, <portlet:namespace/>requiredFields))
+ {
+ return false;
+ } else if (document.forms[<portlet:namespace/>formName].createDB.value.match(illegalChars)) {
+ alert("Database name contains illegal characters");
+ return false;
+ }
}
function <portlet:namespace/>validateForm2(){
var action = document.forms[<portlet:namespace/>formName].elements['action'];
Modified: geronimo/server/branches/2.1.4/plugins/welcome/geronimo-welcome/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1.4/plugins/welcome/geronimo-welcome/pom.xml?rev=758252&r1=758251&r2=758252&view=diff
==============================================================================
--- geronimo/server/branches/2.1.4/plugins/welcome/geronimo-welcome/pom.xml (original)
+++ geronimo/server/branches/2.1.4/plugins/welcome/geronimo-welcome/pom.xml Wed Mar 25 13:39:24 2009
@@ -40,6 +40,12 @@
<dependencies>
<dependency>
+ <groupId>org.apache.geronimo.plugins</groupId>
+ <artifactId>console-filter</artifactId>
+ <version>${version}</version>
+ </dependency>
+
+ <dependency>
<groupId>org.apache.geronimo.framework</groupId>
<artifactId>geronimo-plugin</artifactId>
<version>${version}</version>
Modified: geronimo/server/branches/2.1.4/plugins/welcome/geronimo-welcome/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1.4/plugins/welcome/geronimo-welcome/src/main/webapp/WEB-INF/web.xml?rev=758252&r1=758251&r2=758252&view=diff
==============================================================================
--- geronimo/server/branches/2.1.4/plugins/welcome/geronimo-welcome/src/main/webapp/WEB-INF/web.xml (original)
+++ geronimo/server/branches/2.1.4/plugins/welcome/geronimo-welcome/src/main/webapp/WEB-INF/web.xml Wed Mar 25 13:39:24 2009
@@ -26,46 +26,17 @@
Welcome to Geronimo
</description>
- <!--<servlet>-->
- <!--<servlet-name>jsp_sample_installer</servlet-name>-->
- <!--<servlet-class>org.apache.geronimo.welcome.AbsentSampleServlet</servlet-class>-->
- <!--<init-param>-->
- <!--<param-name>moduleId</param-name>-->
- <!--<param-value>org.apache.geronimo.samples/jsp-examples-SERVER//car</param-value>-->
- <!--</init-param>-->
- <!--</servlet>-->
-
- <!--<servlet>-->
- <!--<servlet-name>servlet_sample_installer</servlet-name>-->
- <!--<servlet-class>org.apache.geronimo.welcome.AbsentSampleServlet</servlet-class>-->
- <!--<init-param>-->
- <!--<param-name>moduleId</param-name>-->
- <!--<param-value>org.apache.geronimo.samples/servlet-examples-SERVER//car</param-value>-->
- <!--</init-param>-->
- <!--</servlet>-->
-
- <!--<servlet>-->
- <!--<servlet-name>ldap_sample_installer</servlet-name>-->
- <!--<servlet-class>org.apache.geronimo.welcome.AbsentSampleServlet</servlet-class>-->
- <!--<init-param>-->
- <!--<param-name>moduleId</param-name>-->
- <!--<param-value>org.apache.geronimo.samples/ldap-sample-app-SERVER//car</param-value>-->
- <!--</init-param>-->
- <!--</servlet>-->
-
- <!--<servlet-mapping>-->
- <!--<servlet-name>jsp_sample_installer</servlet-name>-->
- <!--<url-pattern>/jsp-examples/*</url-pattern>-->
- <!--</servlet-mapping>-->
-
- <!--<servlet-mapping>-->
- <!--<servlet-name>servlet_sample_installer</servlet-name>-->
- <!--<url-pattern>/servlets-examples/*</url-pattern>-->
- <!--</servlet-mapping>-->
-
- <!---<servlet-mapping>-->
- <!--<servlet-name>ldap_sample_installer</servlet-name>-->
- <!--<url-pattern>/ldap-demo/*</url-pattern>-->
- <!--</servlet-mapping>-->
+ <!-- XSS/XSRF filter -->
+ <filter>
+ <filter-name>XSSXSRFFilter</filter-name>
+ <filter-class>org.apache.geronimo.console.filter.XSSXSRFFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSXSRFFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+ <listener>
+ <listener-class>org.apache.geronimo.console.filter.XSSXSRFFilter</listener-class>
+ </listener>
</web-app>