You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2017/11/07 10:24:55 UTC
[sling-org-apache-sling-xss] 02/27: SLING-4525 - XSS protection
path mangling issue
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit a1132dcaa1738be6fe7f51a8904b5f7f0d110162
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Wed May 13 13:18:25 2015 +0000
SLING-4525 - XSS protection path mangling issue
* Added proper encoding for colons in query string
* Added testcases based on Georg Koester's patch
(patch provided by Vlad Bailescu; closes #80)
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1679204 13f79535-47bb-0310-9956-ffa450edef68
---
src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java | 4 ++++
src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 10 ++++++++++
2 files changed, 14 insertions(+)
diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
index 400f279..cb05449 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
@@ -167,6 +167,10 @@ public class XSSAPIImpl implements XSSAPI {
.replaceAll("<", "%3C")
.replaceAll("`", "%60")
.replaceAll(" ", "%20");
+ int qMarkIx = encodedUrl.indexOf('?');
+ if (qMarkIx > 0) {
+ encodedUrl = encodedUrl.substring(0, qMarkIx) + encodedUrl.substring(qMarkIx).replaceAll(":", "%3A");
+ }
String testHtml = LINK_PREFIX + mangleNamespaces(encodedUrl) + LINK_SUFFIX;
// replace all & with & because filterHTML will also apply this encoding
testHtml = testHtml.replaceAll("&(?!amp)", "&");
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index f1347ec..dce4391 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -252,6 +252,16 @@ public class XSSAPIImplTest {
// `
{"/test/ab`cd", "/test/ab%60cd"},
{"http://localhost:4502/test/ab`cd", "http://localhost:4502/test/ab%60cd"},
+ // colons in query string
+ {"/test/search.html?0_tag:id=test", "/test/search.html?0_tag%3Aid=test"},
+ { // JCR namespaces and colons in query string
+ "/test/jcr:content/search.html?0_tag:id=test",
+ "/test/_jcr_content/search.html?0_tag%3Aid=test"
+ },
+ { // ? in query string
+ "/test/search.html?0_tag:id=test?ing&1_tag:id=abc",
+ "/test/search.html?0_tag%3Aid=test?ing&1_tag%3Aid=abc",
+ }
};
for (String[] aTestData : testData) {
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.