You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by mk...@apache.org on 2015/05/04 17:07:13 UTC
svn commit: r1677613 - in /myfaces/portlet-bridge/core:
branches/alpha_3.0.x/impl/src/main/java/org/apache/myfaces/portlet/faces/context/
trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/context/
Author: mkienenb
Date: Mon May 4 15:07:12 2015
New Revision: 1677613
URL: http://svn.apache.org/r1677613
Log:
PORTLETBRIDGE-236 Security vulnerability with _jsfBridgeViewId, __jpfbJSFTARGET and __jpfbJSFResTARGET URL parameter values (Thanks to Ross Clewley for providing these patches)
Modified:
myfaces/portlet-bridge/core/branches/alpha_3.0.x/impl/src/main/java/org/apache/myfaces/portlet/faces/context/PortletExternalContextImpl.java
myfaces/portlet-bridge/core/trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/context/BridgeContextImpl.java
Modified: myfaces/portlet-bridge/core/branches/alpha_3.0.x/impl/src/main/java/org/apache/myfaces/portlet/faces/context/PortletExternalContextImpl.java
URL: http://svn.apache.org/viewvc/myfaces/portlet-bridge/core/branches/alpha_3.0.x/impl/src/main/java/org/apache/myfaces/portlet/faces/context/PortletExternalContextImpl.java?rev=1677613&r1=1677612&r2=1677613&view=diff
==============================================================================
--- myfaces/portlet-bridge/core/branches/alpha_3.0.x/impl/src/main/java/org/apache/myfaces/portlet/faces/context/PortletExternalContextImpl.java (original)
+++ myfaces/portlet-bridge/core/branches/alpha_3.0.x/impl/src/main/java/org/apache/myfaces/portlet/faces/context/PortletExternalContextImpl.java Mon May 4 15:07:12 2015
@@ -2068,11 +2068,12 @@ public class PortletExternalContextImpl
String requestedMode = mPortletRequest.getPortletMode().toString();
// See if the portlet has specified the target view
- String viewId = (String) mPortletRequest.getAttribute(Bridge.VIEW_ID);
+ // Set to null if the viewId contains invalid characters.
+ String viewId = excludeInvalid((String)mPortletRequest.getAttribute(Bridge.VIEW_ID));
String viewPath = null;
if (viewId == null)
{
- viewPath = (String) mPortletRequest.getAttribute(Bridge.VIEW_PATH);
+ viewPath = excludeInvalid((String)mPortletRequest.getAttribute(Bridge.VIEW_PATH));
if (viewPath != null)
{
//convert the view path into a viewId
@@ -2109,6 +2110,8 @@ public class PortletExternalContextImpl
modeChanged = true;
viewId = null; // didn't match so don't use it
}
+ // Set to null if the viewId contains invalid characters.
+ viewId = excludeInvalid(viewId);
}
}
}
@@ -2193,6 +2196,22 @@ public class PortletExternalContextImpl
return viewId;
}
+ /**
+ * Return null if the passed String contains characters that would be invalid in a filename.
+ *
+ * Return the string unchanged otherwise.
+ * @param s the String to check
+ * @return The String unchanged or null if the it contains restricted characters.
+ */
+ private String excludeInvalid(String s)
+ {
+ if ((s != null) && (s.indexOf(':') >= 0))
+ {
+ s = null;
+ }
+ return s;
+ }
+
private void updateViewChainAttribute(String mode, String viewId, boolean modeChanged)
{
QueryString qs = new QueryString("UTF8");
Modified: myfaces/portlet-bridge/core/trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/context/BridgeContextImpl.java
URL: http://svn.apache.org/viewvc/myfaces/portlet-bridge/core/trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/context/BridgeContextImpl.java?rev=1677613&r1=1677612&r2=1677613&view=diff
==============================================================================
--- myfaces/portlet-bridge/core/trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/context/BridgeContextImpl.java (original)
+++ myfaces/portlet-bridge/core/trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/context/BridgeContextImpl.java Mon May 4 15:07:12 2015
@@ -863,12 +863,13 @@ public class BridgeContextImpl extends B
boolean modeChanged = false;
String requestedMode = request.getPortletMode().toString();
- // See if the portlet has specified the target view
- String viewId = (String) request.getAttribute(Bridge.VIEW_ID);
+ // See if the portlet has specified the target view.
+ // Set to null if the attribute contains inalid characters
+ String viewId = excludeInvalid((String) request.getAttribute(Bridge.VIEW_ID));
String viewPath = null;
if (viewId == null)
{
- viewPath = (String) request.getAttribute(Bridge.VIEW_PATH);
+ viewPath = excludeInvalid((String) request.getAttribute(Bridge.VIEW_PATH));
if (viewPath != null)
{
//convert the view path into a viewId
@@ -915,6 +916,8 @@ public class BridgeContextImpl extends B
modeChanged = true;
viewId = null; // didn't match so don't use it
}
+ // Set to null if the viewId contains invalid characters.
+ viewId = excludeInvalid(viewId);
}
}
}
@@ -926,6 +929,22 @@ public class BridgeContextImpl extends B
return viewId;
}
+ /**
+ * Return null if the passed String contains characters that would be invalid in a filename.
+ *
+ * Return the string unchanged otherwise.
+ * @param s the String to check
+ * @return The String unchanged or null if the it contains restricted characters.
+ */
+ private String excludeInvalid(String s)
+ {
+ if ((s != null) && (s.indexOf(':') >= 0))
+ {
+ s = null;
+ }
+ return s;
+ }
+
private String excludeQueryString(String url)
{
int queryStart = url.indexOf('?');