You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ra...@apache.org on 2020/07/29 16:01:06 UTC
[sling-org-apache-sling-xss] branch master updated (0d1a44f ->
49de42a)
This is an automated email from the ASF dual-hosted git repository.
radu pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git.
from 0d1a44f [maven-release-plugin] prepare for next development iteration
new c35b358 SLING-9613 - java.lang.StackOverflowError in XSSFilterImpl.filter for long URLs
new 49de42a [maven-release-plugin] prepare release org.apache.sling.xss-2.2.6
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
pom.xml | 4 ++--
.../java/org/apache/sling/xss/impl/HtmlToHtmlContentContext.java | 7 ++++---
src/main/java/org/apache/sling/xss/impl/PolicyHandler.java | 1 +
3 files changed, 7 insertions(+), 5 deletions(-)
[sling-org-apache-sling-xss] 01/02: SLING-9613 -
java.lang.StackOverflowError in XSSFilterImpl.filter for long URLs
Posted by ra...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
radu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit c35b358ec631b8b8940133c2b23d366ba07e164b
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Wed Jul 29 17:56:04 2020 +0200
SLING-9613 - java.lang.StackOverflowError in XSSFilterImpl.filter for long URLs
* make sure the bundle's classloader is used every time a call to any
of the XML APIs is made internally (e.g. AntiSamy init, AntiSamy scan)
---
.../java/org/apache/sling/xss/impl/HtmlToHtmlContentContext.java | 7 ++++---
src/main/java/org/apache/sling/xss/impl/PolicyHandler.java | 1 +
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/main/java/org/apache/sling/xss/impl/HtmlToHtmlContentContext.java b/src/main/java/org/apache/sling/xss/impl/HtmlToHtmlContentContext.java
index 7e0535a..d387033 100644
--- a/src/main/java/org/apache/sling/xss/impl/HtmlToHtmlContentContext.java
+++ b/src/main/java/org/apache/sling/xss/impl/HtmlToHtmlContentContext.java
@@ -64,7 +64,6 @@ public class HtmlToHtmlContentContext implements XSSFilterRule {
@Override
public String filter(final PolicyHandler policyHandler, final String str) {
if (StringUtils.isNotEmpty(str)) {
- ClassLoader tccl = Thread.currentThread().getContextClassLoader();
try {
final CleanResults results = getCleanResults(policyHandler, str);
if (results != null) {
@@ -78,8 +77,6 @@ public class HtmlToHtmlContentContext implements XSSFilterRule {
}
} catch (Exception e) {
logError(e, str);
- } finally {
- Thread.currentThread().setContextClassLoader(tccl);
}
}
return StringUtils.EMPTY;
@@ -95,12 +92,16 @@ public class HtmlToHtmlContentContext implements XSSFilterRule {
private CleanResults getCleanResults(PolicyHandler handler, String input) throws ScanException, PolicyException {
CleanResults results;
+ ClassLoader tccl = Thread.currentThread().getContextClassLoader();
try {
+ Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
results = handler.getAntiSamy().scan(input);
} catch (StackOverflowError e) {
log.debug("Will perform a second attempt at filtering the following input due to a StackOverflowError:\n{}", input);
results = handler.getFallbackAntiSamy().scan(input);
log.debug("Second attempt was successful.");
+ } finally {
+ Thread.currentThread().setContextClassLoader(tccl);
}
return results;
}
diff --git a/src/main/java/org/apache/sling/xss/impl/PolicyHandler.java b/src/main/java/org/apache/sling/xss/impl/PolicyHandler.java
index 5caf40a..2e737c2 100644
--- a/src/main/java/org/apache/sling/xss/impl/PolicyHandler.java
+++ b/src/main/java/org/apache/sling/xss/impl/PolicyHandler.java
@@ -45,6 +45,7 @@ public class PolicyHandler {
Thread currentThread = Thread.currentThread();
ClassLoader cl = currentThread.getContextClassLoader();
try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
+ currentThread.setContextClassLoader(this.getClass().getClassLoader());
IOUtils.copy(policyStream, baos);
ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
currentThread.setContextClassLoader(this.getClass().getClassLoader());
[sling-org-apache-sling-xss] 02/02: [maven-release-plugin] prepare
release org.apache.sling.xss-2.2.6
Posted by ra...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
radu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit 49de42a237a23ce3d44baa82a91ebd98672905b0
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Wed Jul 29 18:01:00 2020 +0200
[maven-release-plugin] prepare release org.apache.sling.xss-2.2.6
---
pom.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pom.xml b/pom.xml
index db43a26..c940960 100644
--- a/pom.xml
+++ b/pom.xml
@@ -31,7 +31,7 @@
<!-- P R O J E C T -->
<!-- ======================================================================= -->
<artifactId>org.apache.sling.xss</artifactId>
- <version>2.2.5-SNAPSHOT</version>
+ <version>2.2.6</version>
<name>Apache Sling XSS Protection API</name>
<description>
@@ -42,7 +42,7 @@
<connection>scm:git:https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git</connection>
<developerConnection>scm:git:https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git</developerConnection>
<url>https://gitbox.apache.org/repos/asf?p=sling-org-apache-sling-xss.git</url>
- <tag>HEAD</tag>
+ <tag>org.apache.sling.xss-2.2.6</tag>
</scm>