You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by mk...@apache.org on 2015/05/04 17:07:13 UTC

svn commit: r1677613 - in /myfaces/portlet-bridge/core: branches/alpha_3.0.x/impl/src/main/java/org/apache/myfaces/portlet/faces/context/ trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/context/

Author: mkienenb
Date: Mon May  4 15:07:12 2015
New Revision: 1677613

URL: http://svn.apache.org/r1677613
Log:
PORTLETBRIDGE-236 Security vulnerability with _jsfBridgeViewId, __jpfbJSFTARGET and __jpfbJSFResTARGET URL parameter values (Thanks to Ross Clewley for providing these patches)

Modified:
    myfaces/portlet-bridge/core/branches/alpha_3.0.x/impl/src/main/java/org/apache/myfaces/portlet/faces/context/PortletExternalContextImpl.java
    myfaces/portlet-bridge/core/trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/context/BridgeContextImpl.java

Modified: myfaces/portlet-bridge/core/branches/alpha_3.0.x/impl/src/main/java/org/apache/myfaces/portlet/faces/context/PortletExternalContextImpl.java
URL: http://svn.apache.org/viewvc/myfaces/portlet-bridge/core/branches/alpha_3.0.x/impl/src/main/java/org/apache/myfaces/portlet/faces/context/PortletExternalContextImpl.java?rev=1677613&r1=1677612&r2=1677613&view=diff
==============================================================================
--- myfaces/portlet-bridge/core/branches/alpha_3.0.x/impl/src/main/java/org/apache/myfaces/portlet/faces/context/PortletExternalContextImpl.java (original)
+++ myfaces/portlet-bridge/core/branches/alpha_3.0.x/impl/src/main/java/org/apache/myfaces/portlet/faces/context/PortletExternalContextImpl.java Mon May  4 15:07:12 2015
@@ -2068,11 +2068,12 @@ public class PortletExternalContextImpl
     String requestedMode = mPortletRequest.getPortletMode().toString();
     
     // See if the portlet has specified the target view
-    String viewId = (String) mPortletRequest.getAttribute(Bridge.VIEW_ID);
+    // Set to null if the viewId contains invalid characters.
+    String viewId = excludeInvalid((String)mPortletRequest.getAttribute(Bridge.VIEW_ID));
     String viewPath = null;
     if (viewId == null)
     {
-      viewPath = (String) mPortletRequest.getAttribute(Bridge.VIEW_PATH);
+      viewPath = excludeInvalid((String)mPortletRequest.getAttribute(Bridge.VIEW_PATH));
       if (viewPath != null)
       {
         //convert the view path into a viewId
@@ -2109,6 +2110,8 @@ public class PortletExternalContextImpl
             modeChanged = true;
             viewId = null; // didn't match so don't use it
           }
+          // Set to null if the viewId contains invalid characters.
+          viewId = excludeInvalid(viewId);
         }
       }
     }
@@ -2193,6 +2196,22 @@ public class PortletExternalContextImpl
     return viewId;
   }
 
+  /**
+   * Return null if the passed String contains characters that would be invalid in a filename.
+   * 
+   * Return the string  unchanged otherwise.
+   * @param s  the String to check
+   * @return The String unchanged or null if the it contains restricted characters. 
+   */
+  private String excludeInvalid(String s)
+  {
+    if ((s != null) && (s.indexOf(':') >= 0))
+    {
+      s = null;
+    }
+    return s;
+  }
+
   private void updateViewChainAttribute(String mode, String viewId, boolean modeChanged)
   {
     QueryString qs = new QueryString("UTF8");

Modified: myfaces/portlet-bridge/core/trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/context/BridgeContextImpl.java
URL: http://svn.apache.org/viewvc/myfaces/portlet-bridge/core/trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/context/BridgeContextImpl.java?rev=1677613&r1=1677612&r2=1677613&view=diff
==============================================================================
--- myfaces/portlet-bridge/core/trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/context/BridgeContextImpl.java (original)
+++ myfaces/portlet-bridge/core/trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/context/BridgeContextImpl.java Mon May  4 15:07:12 2015
@@ -863,12 +863,13 @@ public class BridgeContextImpl extends B
     boolean modeChanged = false;
     String requestedMode = request.getPortletMode().toString();
     
-    // See if the portlet has specified the target view
-    String viewId = (String) request.getAttribute(Bridge.VIEW_ID);
+    // See if the portlet has specified the target view. 
+    // Set to null if the attribute contains inalid characters
+    String viewId = excludeInvalid((String) request.getAttribute(Bridge.VIEW_ID));
     String viewPath = null;
     if (viewId == null)
     {
-      viewPath = (String) request.getAttribute(Bridge.VIEW_PATH);
+      viewPath = excludeInvalid((String) request.getAttribute(Bridge.VIEW_PATH));
       if (viewPath != null)
       {
         //convert the view path into a viewId
@@ -915,6 +916,8 @@ public class BridgeContextImpl extends B
             modeChanged = true;
             viewId = null; // didn't match so don't use it
           }
+          // Set to null if the viewId contains invalid characters.
+          viewId = excludeInvalid(viewId);
         }
       }
     }
@@ -926,6 +929,22 @@ public class BridgeContextImpl extends B
     return viewId;
   }
   
+  /**
+   * Return null if the passed String contains characters that would be invalid in a filename.
+   * 
+   * Return the string  unchanged otherwise.
+   * @param s  the String to check
+   * @return The String unchanged or null if the it contains restricted characters. 
+   */
+  private String excludeInvalid(String s)
+  {
+    if ((s != null) && (s.indexOf(':') >= 0))
+    {
+      s = null;
+    }
+    return s;
+  }
+  
   private String excludeQueryString(String url)
   {
     int queryStart = url.indexOf('?');