You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@archiva.apache.org by ma...@apache.org on 2019/03/10 10:36:28 UTC
[archiva] branch archiva-2.x updated: Fixing MRM-1972: Adding
additional encoding for name value
This is an automated email from the ASF dual-hosted git repository.
martin_s pushed a commit to branch archiva-2.x
in repository https://gitbox.apache.org/repos/asf/archiva.git
The following commit(s) were added to refs/heads/archiva-2.x by this push:
new 8e5fdd4 Fixing MRM-1972: Adding additional encoding for name value
8e5fdd4 is described below
commit 8e5fdd4536421a1a3f0cc5b70725148eeb27b652
Author: Martin Stockhammer <ma...@apache.org>
AuthorDate: Sun Mar 10 11:36:06 2019 +0100
Fixing MRM-1972: Adding additional encoding for name value
---
.../repository/admin/DefaultArchivaAdministration.java | 7 +++++++
.../repository/admin/ArchivaAdministrationTest.java | 17 +++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
index 8f065c1..1ba1048 100644
--- a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
+++ b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
@@ -31,6 +31,8 @@ import org.apache.archiva.configuration.Configuration;
import org.apache.archiva.configuration.UserInterfaceOptions;
import org.apache.archiva.configuration.WebappConfiguration;
import org.apache.archiva.metadata.model.facets.AuditEvent;
+import org.apache.commons.codec.net.URLCodec;
+import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.http.impl.conn.PoolingClientConnectionManager;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
@@ -337,6 +339,10 @@ public class DefaultArchivaAdministration
}
+ private String convertName(String name) {
+ return StringEscapeUtils.escapeHtml( StringUtils.trimToEmpty( name ) );
+ }
+
@Override
public void setOrganisationInformation( OrganisationInformation organisationInformation )
throws RepositoryAdminException
@@ -346,6 +352,7 @@ public class DefaultArchivaAdministration
Configuration configuration = getArchivaConfiguration( ).getConfiguration( );
if ( organisationInformation != null )
{
+ organisationInformation.setName( convertName( organisationInformation.getName() ));
org.apache.archiva.configuration.OrganisationInformation organisationInformationModel =
getModelMapper( ).map( organisationInformation,
org.apache.archiva.configuration.OrganisationInformation.class );
diff --git a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
index 6e3fbd6..9bb9ed4 100644
--- a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
+++ b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
@@ -254,6 +254,23 @@ public class ArchivaAdministrationTest
}
@Test
+ public void badOrganisationName( )
+ {
+ try
+ {
+ OrganisationInformation newOrganisationInformation = new OrganisationInformation( );
+ newOrganisationInformation.setName( "/><svg/onload=alert(/url_xss/)>Test Org\"" );
+ archivaAdministration.setOrganisationInformation( newOrganisationInformation );
+ assertEquals("/><svg/onload=alert(/url_xss/)>Test Org"", archivaAdministration.getOrganisationInformation().getName());
+ }
+ catch ( RepositoryAdminException e )
+ {
+ // OK
+ }
+
+ }
+
+ @Test
public void uiConfiguration()
throws Exception
{