You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by re...@apache.org on 2016/02/26 11:16:07 UTC
svn commit: r1732446 - in /jackrabbit/branches/2.2: ./
jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/
jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/
jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/
Author: reschke
Date: Fri Feb 26 10:16:06 2016
New Revision: 1732446
URL: http://svn.apache.org/viewvc?rev=1732446&view=rev
Log:
JCR-3950: fix XSS vulnerability in DirListingExportHandler (ported to 2.2)
Modified:
jackrabbit/branches/2.2/ (props changed)
jackrabbit/branches/2.2/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java
jackrabbit/branches/2.2/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java
jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java
Propchange: jackrabbit/branches/2.2/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Feb 26 10:16:06 2016
@@ -4,4 +4,4 @@
/jackrabbit/sandbox/JCR-1456:774917-886178
/jackrabbit/sandbox/JCR-2170:812417-816332
/jackrabbit/sandbox/tripod-JCR-2209:795441-795863
-/jackrabbit/trunk:1038201,1038203,1038205,1038657,1039064,1039347,1039408,1039422-1039423,1039888,1039946,1040033,1040090,1040459,1040601,1040606,1040661,1040958,1041379,1041439,1041761,1042643,1042647,1042978-1042982,1043084-1043086,1043088,1043343,1043357-1043358,1043430,1043554,1043616,1043618,1043637,1043656,1043893,1043897,1044239,1044312,1044451,1044613,1049473,1049491,1049514,1049518,1049520,1049859,1049870,1049874,1049878,1049880,1049883,1049889,1049891,1049894-1049895,1049899-1049901,1049909-1049911,1049915-1049916,1049919,1049923,1049925,1049931,1049936,1049939,1050212,1050298,1050346,1050551,1055068,1055070-1055071,1055116-1055117,1055127,1055134,1055164,1055498,1060431,1060434,1060753,1063756,1064213,1064670,1064760,1065599,1065622,1066059,1066071,1066794,1069831,1071562,1071573,1071680,1072087,1074140,1077927,1077970,1079314,1079317,1080186,1080540,1082599,1082611,1082620,1087304,1088991,1089032,1089053,1089436,1092106,1092117,1092683,1097363,1097513-1097514,1098963-109
8964,1099033,1099172,1100242,1100286,1101046,1102262,1102268-1102270,1102299,1102601,1104027,1126987,1128175,1129206,1130192,1130228,1132993,1136353,1136360,1138511,1141141,1141717,1143396,1143738,1144332,1144338,1144695,1152258,1155431,1157175,1165609,1169801,1173196,1174822,1174887,1175988,1176423,1176465,1176515,1176546,1177249,1177340,1178251,1178892,1179124,1179548,1180922,1181712,1182281,1182667,1182761,1182824,1182929,1183409,1185691,1186285,1186802,1187344,1188541,1188590,1198827,1202144,1202192,1209581,1213276,1213289,1232100,1236709,1298428,1301046,1301397,1303438,1307456,1309908,1311861,1327180,1327432,1327926,1336252,1348860,1349365,1353920,1356612,1356630,1362796,1362924,1399576,1400935,1403408,1403768,1467255,1467363,1479518,1498840,1498850,1499285,1506594,1509101,1680757
+/jackrabbit/trunk:1038201,1038203,1038205,1038657,1039064,1039347,1039408,1039422-1039423,1039888,1039946,1040033,1040090,1040459,1040601,1040606,1040661,1040958,1041379,1041439,1041761,1042643,1042647,1042978-1042982,1043084-1043086,1043088,1043343,1043357-1043358,1043430,1043554,1043616,1043618,1043637,1043656,1043893,1043897,1044239,1044312,1044451,1044613,1049473,1049491,1049514,1049518,1049520,1049859,1049870,1049874,1049878,1049880,1049883,1049889,1049891,1049894-1049895,1049899-1049901,1049909-1049911,1049915-1049916,1049919,1049923,1049925,1049931,1049936,1049939,1050212,1050298,1050346,1050551,1055068,1055070-1055071,1055116-1055117,1055127,1055134,1055164,1055498,1060431,1060434,1060753,1063756,1064213,1064670,1064760,1065599,1065622,1066059,1066071,1066794,1069831,1071562,1071573,1071680,1072087,1074140,1077927,1077970,1079314,1079317,1080186,1080540,1082599,1082611,1082620,1087304,1088991,1089032,1089053,1089436,1092106,1092117,1092683,1097363,1097513-1097514,1098963-109
8964,1099033,1099172,1100242,1100286,1101046,1102262,1102268-1102270,1102299,1102601,1104027,1126987,1128175,1129206,1130192,1130228,1132993,1136353,1136360,1138511,1141141,1141717,1143396,1143738,1144332,1144338,1144695,1152258,1155431,1157175,1165609,1169801,1173196,1174822,1174887,1175988,1176423,1176465,1176515,1176546,1177249,1177340,1178251,1178892,1179124,1179548,1180922,1181712,1182281,1182667,1182761,1182824,1182929,1183409,1185691,1186285,1186802,1187344,1188541,1188590,1198827,1202144,1202192,1209581,1213276,1213289,1232100,1236709,1298428,1301046,1301397,1303438,1307456,1309908,1311861,1327180,1327432,1327926,1336252,1348860,1349365,1353920,1356612,1356630,1362796,1362924,1399576,1400935,1403408,1403768,1467255,1467363,1479518,1498840,1498850,1499285,1506594,1509101,1680757,1732436
Modified: jackrabbit/branches/2.2/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java?rev=1732446&r1=1732445&r2=1732446&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java (original)
+++ jackrabbit/branches/2.2/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java Fri Feb 26 10:16:06 2016
@@ -209,13 +209,28 @@ public class Text {
}
/**
- * Replaces illegal XML characters in the given string by their corresponding
- * predefined entity references.
+ * Replaces XML characters in the given string that might need escaping
+ * as XML text or attribute
*
* @param text text to be escaped
* @return a string
*/
public static String encodeIllegalXMLCharacters(String text) {
+ return encodeMarkupCharacters(text, false);
+ }
+
+ /**
+ * Replaces HTML characters in the given string that might need escaping
+ * as HTML text or attribute
+ *
+ * @param text text to be escaped
+ * @return a string
+ */
+ public static String encodeIllegalHTMLCharacters(String text) {
+ return encodeMarkupCharacters(text, true);
+ }
+
+ private static String encodeMarkupCharacters(String text, boolean isHtml) {
if (text == null) {
throw new IllegalArgumentException("null argument");
}
@@ -250,7 +265,7 @@ public class Text {
} else if (ch == '"') {
buf.append(""");
} else if (ch == '\'') {
- buf.append("'");
+ buf.append(isHtml ? "'" : "'");
}
}
if (buf == null) {
Modified: jackrabbit/branches/2.2/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java?rev=1732446&r1=1732445&r2=1732446&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java (original)
+++ jackrabbit/branches/2.2/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java Fri Feb 26 10:16:06 2016
@@ -195,4 +195,11 @@ public class TextTest extends TestCase {
assertEquals("local\"name", Text.escapeIllegalJcrChars("local\"name"));
}
+ public void testEscapeXML() {
+ assertEquals("&<>'"", Text.encodeIllegalXMLCharacters("&<>'\""));
+ }
+
+ public void testEscapeHTML() {
+ assertEquals("&<>'"", Text.encodeIllegalHTMLCharacters("&<>'\""));
+ }
}
Modified: jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java?rev=1732446&r1=1732445&r2=1732446&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java (original)
+++ jackrabbit/branches/2.2/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java Fri Feb 26 10:16:06 2016
@@ -146,14 +146,14 @@ public class DirListingExportHandler imp
String repURL = rep.getDescriptor(Repository.REP_VENDOR_URL_DESC);
String repVersion = rep.getDescriptor(Repository.REP_VERSION_DESC);
writer.print("<html><head><title>");
- writer.print(repName);
+ writer.print(Text.encodeIllegalHTMLCharacters(repName));
writer.print(" ");
- writer.print(repVersion);
+ writer.print(Text.encodeIllegalHTMLCharacters(repVersion));
writer.print(" ");
- writer.print(item.getPath());
+ writer.print(Text.encodeIllegalHTMLCharacters(item.getPath()));
writer.print("</title></head>");
writer.print("<body><h2>");
- writer.print(item.getPath());
+ writer.print(Text.encodeIllegalHTMLCharacters(item.getPath()));
writer.print("</h2><ul>");
writer.print("<li><a href=\"..\">..</a></li>");
if (item.isNode()) {
@@ -162,21 +162,21 @@ public class DirListingExportHandler imp
Node child = iter.nextNode();
String label = Text.getName(child.getPath());
writer.print("<li><a href=\"");
- writer.print(Text.escape(label));
+ writer.print(Text.encodeIllegalHTMLCharacters(Text.escape(label)));
if (child.isNode()) {
writer.print("/");
}
writer.print("\">");
- writer.print(Text.encodeIllegalXMLCharacters(label));
+ writer.print(Text.encodeIllegalHTMLCharacters(label));
writer.print("</a></li>");
}
}
writer.print("</ul><hr size=\"1\"><em>Powered by <a href=\"");
- writer.print(repURL);
+ writer.print(Text.encodeIllegalHTMLCharacters(repURL));
writer.print("\">");
- writer.print(repName);
+ writer.print(Text.encodeIllegalHTMLCharacters(repName));
writer.print("</a> version ");
- writer.print(repVersion);
+ writer.print(Text.encodeIllegalHTMLCharacters(repVersion));
writer.print("</em></body></html>");
} catch (RepositoryException e) {
// should not occur
@@ -210,14 +210,14 @@ public class DirListingExportHandler imp
String repURL = rep.getDescriptor(Repository.REP_VENDOR_URL_DESC);
String repVersion = rep.getDescriptor(Repository.REP_VERSION_DESC);
writer.print("<html><head><title>");
- writer.print(repName);
+ writer.print(Text.encodeIllegalHTMLCharacters(repName));
writer.print(" ");
- writer.print(repVersion);
+ writer.print(Text.encodeIllegalHTMLCharacters(repVersion));
writer.print(" ");
- writer.print(resource.getResourcePath());
+ writer.print(Text.encodeIllegalHTMLCharacters(resource.getResourcePath()));
writer.print("</title></head>");
writer.print("<body><h2>");
- writer.print(resource.getResourcePath());
+ writer.print(Text.encodeIllegalHTMLCharacters(resource.getResourcePath()));
writer.print("</h2><ul>");
writer.print("<li><a href=\"..\">..</a></li>");
DavResourceIterator iter = resource.getMembers();
@@ -225,17 +225,17 @@ public class DirListingExportHandler imp
DavResource child = iter.nextResource();
String label = Text.getName(child.getResourcePath());
writer.print("<li><a href=\"");
- writer.print(child.getHref());
+ writer.print(Text.encodeIllegalHTMLCharacters(child.getHref()));
writer.print("\">");
- writer.print(Text.encodeIllegalXMLCharacters(label));
+ writer.print(Text.encodeIllegalHTMLCharacters(label));
writer.print("</a></li>");
}
writer.print("</ul><hr size=\"1\"><em>Powered by <a href=\"");
- writer.print(repURL);
+ writer.print(Text.encodeIllegalHTMLCharacters(repURL));
writer.print("\">");
- writer.print(repName);
+ writer.print(Text.encodeIllegalHTMLCharacters(repName));
writer.print("</a> version ");
- writer.print(repVersion);
+ writer.print(Text.encodeIllegalHTMLCharacters(repVersion));
writer.print("</em></body></html>");
} catch (RepositoryException e) {
// should not occur