You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ra...@apache.org on 2019/11/20 13:13:51 UTC
[sling-org-apache-sling-xss] 01/02: SLING-8851 - Skip namespace
mangling
This is an automated email from the ASF dual-hosted git repository.
radu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
View the commit online:
https://github.com/apache/sling-org-apache-sling-xss/commit/a827eb7f30ac2d65b512b928087ca93b1ebd3fb8
commit a827eb7f30ac2d65b512b928087ca93b1ebd3fb8
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Wed Nov 20 13:59:49 2019 +0100
SLING-8851 - Skip namespace mangling
* removed mangling code and adapted tests
---
.../java/org/apache/sling/xss/impl/XSSAPIImpl.java | 50 ----------------------
.../org/apache/sling/xss/impl/XSSAPIImplTest.java | 20 ++++-----
2 files changed, 10 insertions(+), 60 deletions(-)
diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
index 4022b8a..958e365 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
@@ -181,55 +181,6 @@ public class XSSAPIImpl implements XSSAPI {
return defaultValue;
}
- private static final String MANGLE_NAMESPACE_OUT_SUFFIX = ":";
-
- private static final String MANGLE_NAMESPACE_OUT = "/([^:/]+):";
-
- private static final Pattern MANGLE_NAMESPACE_PATTERN = Pattern.compile(MANGLE_NAMESPACE_OUT);
-
- private static final String MANGLE_NAMESPACE_IN_SUFFIX = "_";
-
- private static final String MANGLE_NAMESPACE_IN_PREFIX = "/_";
-
- private String mangleNamespaces(String absPath) throws URISyntaxException, UnsupportedEncodingException {
- String mangledPath = null;
- URI uri = new URI(absPath);
- if (uri.getPath() != null) {
- if (uri.getRawPath().contains(MANGLE_NAMESPACE_OUT_SUFFIX)) {
- final Matcher m = MANGLE_NAMESPACE_PATTERN.matcher(uri.getRawPath());
-
- final StringBuffer buf = new StringBuffer();
- while (m.find()) {
- final String replacement = MANGLE_NAMESPACE_IN_PREFIX + m.group(1) + MANGLE_NAMESPACE_IN_SUFFIX;
- m.appendReplacement(buf, replacement);
- }
-
- m.appendTail(buf);
- mangledPath = buf.toString();
- }
- }
- if (mangledPath != null) {
- URI mangledURI = new URI(uri.getScheme(), uri.getUserInfo(), uri.getHost(), uri.getPort(),
- URLDecoder.decode(mangledPath, "UTF-8"),
- uri.getQuery(), uri.getFragment());
- StringBuilder uriBuilder = new StringBuilder();
- if (StringUtils.isNotEmpty(mangledURI.getScheme()) && StringUtils.isNotEmpty(mangledURI.getAuthority())) {
- uriBuilder.append(mangledURI.getScheme()).append("://").append(mangledURI.getRawAuthority());
- }
- if (StringUtils.isNotEmpty(mangledURI.getPath())) {
- uriBuilder.append(mangledURI.getRawPath());
- }
- if (StringUtils.isNotEmpty(mangledURI.getQuery())) {
- uriBuilder.append("?").append(mangledURI.getRawQuery());
- }
- if (StringUtils.isNotEmpty(mangledURI.getFragment())) {
- uriBuilder.append("#").append(mangledURI.getRawFragment());
- }
- return uriBuilder.toString();
- }
- return absPath;
- }
-
/**
* @see org.apache.sling.xss.XSSAPI#getValidHref(String)
*/
@@ -247,7 +198,6 @@ public class XSSAPIImpl implements XSSAPI {
.replaceAll("`", "%60")
.replaceAll(" ", "%20");
try {
- encodedUrl = mangleNamespaces(encodedUrl);
if (xssFilter.isValidHref(encodedUrl)) {
return encodedUrl;
}
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index e365b57..43981f5 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -241,16 +241,16 @@ public class XSSAPIImplTest {
{"repo/günter", "repo/günter"},
// JCR namespaces:
- {"my/page/jcr:content.feed", "my/page/_jcr_content.feed"},
- {"my/jcr:content/page/jcr:content", "my/_jcr_content/page/_jcr_content"},
- {"my/jcr:content/encoded%20spaces", "my/_jcr_content/encoded%20spaces"},
- {"my/jcr:content/this path has spaces", "my/_jcr_content/this%20path%20has%20spaces"},
+ {"my/page/jcr:content.feed", "my/page/jcr:content.feed"},
+ {"my/jcr:content/page/jcr:content", "my/jcr:content/page/jcr:content"},
+ {"my/jcr:content/encoded%20spaces", "my/jcr:content/encoded%20spaces"},
+ {"my/jcr:content/this path has spaces", "my/jcr:content/this%20path%20has%20spaces"},
{"\" onClick=ugly", "%22%20onClick=ugly"},
{"javascript:ugly", ""},
{"http://localhost:4502", "http://localhost:4502"},
{"http://localhost:4502/test", "http://localhost:4502/test"},
- {"http://localhost:4502/jcr:content/test", "http://localhost:4502/_jcr_content/test"},
+ {"http://localhost:4502/jcr:content/test", "http://localhost:4502/jcr:content/test"},
{"http://localhost:4502/test.html?a=b&b=c", "http://localhost:4502/test.html?a=b&b=c"},
// space
@@ -280,15 +280,15 @@ public class XSSAPIImplTest {
{"/test/search.html?0_tag:id=test", "/test/search.html?0_tag:id=test"},
{ // JCR namespaces and colons in query string
"/test/jcr:content/search.html?0_tag:id=test",
- "/test/_jcr_content/search.html?0_tag:id=test"
+ "/test/jcr:content/search.html?0_tag:id=test"
},
{ // JCR namespaces and colons in query string plus encoded path
"/test%20with%20encoded%20spaces/jcr:content/search.html?0_tag:id=test",
- "/test%20with%20encoded%20spaces/_jcr_content/search.html?0_tag:id=test"
+ "/test%20with%20encoded%20spaces/jcr:content/search.html?0_tag:id=test"
},
{ // JCR namespaces and colons in query string plus spaces in path
"/test with spaces/jcr:content/search.html?0_tag:id=test",
- "/test%20with%20spaces/_jcr_content/search.html?0_tag:id=test"
+ "/test%20with%20spaces/jcr:content/search.html?0_tag:id=test"
},
{ // ? in query string
"/test/search.html?0_tag:id=test?ing&1_tag:id=abc",
@@ -316,14 +316,14 @@ public class XSSAPIImplTest {
},
{ // namespace mangling + encoded parameter values
"/path/to/page/jcr:content/par?key=%25text",
- "/path/to/page/_jcr_content/par?key=%25text"
+ "/path/to/page/jcr:content/par?key=%25text"
},
{ // namespace mangling + incorrect escape sequence
"/path/to/page/jcr:content/par?key=%text",
""
},
{ // incorrect escape sequence
- "/path/to/page/_jcr_content/par?key=%text",
+ "/path/to/page/jcr:content/par?key=%text",
""
}
};