You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by cz...@apache.org on 2013/10/16 18:33:12 UTC

svn commit: r1532812 - /sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/mapping/MapEntries.java

Author: cziegeler
Date: Wed Oct 16 16:33:11 2013
New Revision: 1532812

URL: http://svn.apache.org/r1532812
Log:
SLING-3182 : Filter out invalid alias values

Modified:
    sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/mapping/MapEntries.java

Modified: sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/mapping/MapEntries.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/mapping/MapEntries.java?rev=1532812&r1=1532811&r2=1532812&view=diff
==============================================================================
--- sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/mapping/MapEntries.java (original)
+++ sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/mapping/MapEntries.java Wed Oct 16 16:33:11 2013
@@ -512,12 +512,8 @@ public class MapEntries implements Event
                 resourceName = resource.getName();
             }
             Map<String, String> parentMap = map.get(parentPath);
-            if (parentMap == null) {
-                parentMap = new HashMap<String, String>();
-                map.put(parentPath, parentMap);
-            }
             for (final String alias : props.get(ResourceResolverImpl.PROP_ALIAS, String[].class)) {
-                if (parentMap.containsKey(alias)) {
+                if (parentMap != null && parentMap.containsKey(alias)) {
                     log.warn("Encountered duplicate alias {} under parent path {}. Refusing to replace current target {} with {}.", new Object[] {
                             alias,
                             parentPath,
@@ -525,7 +521,27 @@ public class MapEntries implements Event
                             resourceName
                     });
                 } else {
-                    parentMap.put(alias, resourceName);
+                    // check alias
+                    boolean invalid = alias.equals("..") || alias.equals(".");
+                    if ( !invalid ) {
+                        for(final char c : alias.toCharArray()) {
+                            // invalid if / or # or a ?
+                            if ( c == '/' || c == '#' || c == '?' ) {
+                                invalid = true;
+                                break;
+                            }
+                        }
+                    }
+                    if ( invalid ) {
+                        log.warn("Encountered invalid alias {} under parent path {}. Refusing to use it.",
+                                alias, parentPath);
+                    } else {
+                        if (parentMap == null) {
+                            parentMap = new HashMap<String, String>();
+                            map.put(parentPath, parentMap);
+                        }
+                        parentMap.put(alias, resourceName);
+                    }
                 }
             }
         }