You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by re...@apache.org on 2016/02/26 10:26:21 UTC
svn commit: r1732437 - in /jackrabbit/branches/2.12: ./
jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/
jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/
jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/
Author: reschke
Date: Fri Feb 26 09:26:20 2016
New Revision: 1732437
URL: http://svn.apache.org/viewvc?rev=1732437&view=rev
Log:
JCR-3950: fix XSS vulnerability in DirListingExportHandler (ported to 2.12)
Modified:
jackrabbit/branches/2.12/ (props changed)
jackrabbit/branches/2.12/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java
jackrabbit/branches/2.12/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java
jackrabbit/branches/2.12/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java
Propchange: jackrabbit/branches/2.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Feb 26 09:26:20 2016
@@ -1,2 +1,3 @@
/jackrabbit/branches/JCR-2272:1173165-1176545
/jackrabbit/sandbox/JCR-2415-lucene-3.0:1060860-1064038
+/jackrabbit/trunk:1732436
Modified: jackrabbit/branches/2.12/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.12/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java?rev=1732437&r1=1732436&r2=1732437&view=diff
==============================================================================
--- jackrabbit/branches/2.12/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java (original)
+++ jackrabbit/branches/2.12/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java Fri Feb 26 09:26:20 2016
@@ -209,13 +209,28 @@ public class Text {
}
/**
- * Replaces illegal XML characters in the given string by their corresponding
- * predefined entity references.
+ * Replaces XML characters in the given string that might need escaping
+ * as XML text or attribute
*
* @param text text to be escaped
* @return a string
*/
public static String encodeIllegalXMLCharacters(String text) {
+ return encodeMarkupCharacters(text, false);
+ }
+
+ /**
+ * Replaces HTML characters in the given string that might need escaping
+ * as HTML text or attribute
+ *
+ * @param text text to be escaped
+ * @return a string
+ */
+ public static String encodeIllegalHTMLCharacters(String text) {
+ return encodeMarkupCharacters(text, true);
+ }
+
+ private static String encodeMarkupCharacters(String text, boolean isHtml) {
if (text == null) {
throw new IllegalArgumentException("null argument");
}
@@ -250,7 +265,7 @@ public class Text {
} else if (ch == '"') {
buf.append(""");
} else if (ch == '\'') {
- buf.append("'");
+ buf.append(isHtml ? "'" : "'");
}
}
if (buf == null) {
Modified: jackrabbit/branches/2.12/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.12/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java?rev=1732437&r1=1732436&r2=1732437&view=diff
==============================================================================
--- jackrabbit/branches/2.12/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java (original)
+++ jackrabbit/branches/2.12/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java Fri Feb 26 09:26:20 2016
@@ -195,4 +195,11 @@ public class TextTest extends TestCase {
assertEquals("local\"name", Text.escapeIllegalJcrChars("local\"name"));
}
+ public void testEscapeXML() {
+ assertEquals("&<>'"", Text.encodeIllegalXMLCharacters("&<>'\""));
+ }
+
+ public void testEscapeHTML() {
+ assertEquals("&<>'"", Text.encodeIllegalHTMLCharacters("&<>'\""));
+ }
}
Modified: jackrabbit/branches/2.12/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.12/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java?rev=1732437&r1=1732436&r2=1732437&view=diff
==============================================================================
--- jackrabbit/branches/2.12/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java (original)
+++ jackrabbit/branches/2.12/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java Fri Feb 26 09:26:20 2016
@@ -146,14 +146,14 @@ public class DirListingExportHandler imp
String repURL = rep.getDescriptor(Repository.REP_VENDOR_URL_DESC);
String repVersion = rep.getDescriptor(Repository.REP_VERSION_DESC);
writer.print("<html><head><title>");
- writer.print(repName);
+ writer.print(Text.encodeIllegalHTMLCharacters(repName));
writer.print(" ");
- writer.print(repVersion);
+ writer.print(Text.encodeIllegalHTMLCharacters(repVersion));
writer.print(" ");
- writer.print(item.getPath());
+ writer.print(Text.encodeIllegalHTMLCharacters(item.getPath()));
writer.print("</title></head>");
writer.print("<body><h2>");
- writer.print(item.getPath());
+ writer.print(Text.encodeIllegalHTMLCharacters(item.getPath()));
writer.print("</h2><ul>");
writer.print("<li><a href=\"..\">..</a></li>");
if (item.isNode()) {
@@ -162,21 +162,21 @@ public class DirListingExportHandler imp
Node child = iter.nextNode();
String label = Text.getName(child.getPath());
writer.print("<li><a href=\"");
- writer.print(Text.escape(label));
+ writer.print(Text.encodeIllegalHTMLCharacters(Text.escape(label)));
if (child.isNode()) {
writer.print("/");
}
writer.print("\">");
- writer.print(Text.encodeIllegalXMLCharacters(label));
+ writer.print(Text.encodeIllegalHTMLCharacters(label));
writer.print("</a></li>");
}
}
writer.print("</ul><hr size=\"1\"><em>Powered by <a href=\"");
- writer.print(repURL);
+ writer.print(Text.encodeIllegalHTMLCharacters(repURL));
writer.print("\">");
- writer.print(repName);
+ writer.print(Text.encodeIllegalHTMLCharacters(repName));
writer.print("</a> version ");
- writer.print(repVersion);
+ writer.print(Text.encodeIllegalHTMLCharacters(repVersion));
writer.print("</em></body></html>");
} catch (RepositoryException e) {
// should not occur
@@ -210,14 +210,14 @@ public class DirListingExportHandler imp
String repURL = rep.getDescriptor(Repository.REP_VENDOR_URL_DESC);
String repVersion = rep.getDescriptor(Repository.REP_VERSION_DESC);
writer.print("<html><head><title>");
- writer.print(repName);
+ writer.print(Text.encodeIllegalHTMLCharacters(repName));
writer.print(" ");
- writer.print(repVersion);
+ writer.print(Text.encodeIllegalHTMLCharacters(repVersion));
writer.print(" ");
- writer.print(resource.getResourcePath());
+ writer.print(Text.encodeIllegalHTMLCharacters(resource.getResourcePath()));
writer.print("</title></head>");
writer.print("<body><h2>");
- writer.print(resource.getResourcePath());
+ writer.print(Text.encodeIllegalHTMLCharacters(resource.getResourcePath()));
writer.print("</h2><ul>");
writer.print("<li><a href=\"..\">..</a></li>");
DavResourceIterator iter = resource.getMembers();
@@ -225,17 +225,17 @@ public class DirListingExportHandler imp
DavResource child = iter.nextResource();
String label = Text.getName(child.getResourcePath());
writer.print("<li><a href=\"");
- writer.print(child.getHref());
+ writer.print(Text.encodeIllegalHTMLCharacters(child.getHref()));
writer.print("\">");
- writer.print(Text.encodeIllegalXMLCharacters(label));
+ writer.print(Text.encodeIllegalHTMLCharacters(label));
writer.print("</a></li>");
}
writer.print("</ul><hr size=\"1\"><em>Powered by <a href=\"");
- writer.print(repURL);
+ writer.print(Text.encodeIllegalHTMLCharacters(repURL));
writer.print("\">");
- writer.print(repName);
+ writer.print(Text.encodeIllegalHTMLCharacters(repName));
writer.print("</a> version ");
- writer.print(repVersion);
+ writer.print(Text.encodeIllegalHTMLCharacters(repVersion));
writer.print("</em></body></html>");
} catch (RepositoryException e) {
// should not occur