You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by cz...@apache.org on 2013/07/19 08:47:55 UTC
svn commit: r1504776 -
/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java
Author: cziegeler
Date: Fri Jul 19 06:47:54 2013
New Revision: 1504776
URL: http://svn.apache.org/r1504776
Log:
SLING-2974 : XSS vulnerability in AbstractAuthenticationFormServlet
Modified:
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java?rev=1504776&r1=1504775&r2=1504776&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java Fri Jul 19 06:47:54 2013
@@ -130,14 +130,35 @@ public abstract class AbstractAuthentica
throws IOException {
String form = getRawForm();
- form = form.replace("${resource}", getResource(request));
- form = form.replace("${j_reason}", getReason(request));
- form = form.replace("${requestContextPath}", getContextPath(request));
- form = form.replace("${contextPath}", request.getContextPath());
+ form = form.replace("${resource}", escapeXml(getResource(request)));
+ form = form.replace("${j_reason}", escapeXml(getReason(request)));
+ form = form.replace("${requestContextPath}", escapeXml(getContextPath(request)));
+ form = form.replace("${contextPath}", escapeXml(request.getContextPath()));
return form;
}
+ private static String escapeXml(final String input) {
+ if (input == null) {
+ return null;
+ }
+
+ final StringBuilder b = new StringBuilder(input.length());
+ for(int i = 0;i < input.length(); i++) {
+ final char c = input.charAt(i);
+ if(c == '&') {
+ b.append("&");
+ } else if(c == '<') {
+ b.append("<");
+ } else if(c == '>') {
+ b.append(">");
+ } else {
+ b.append(c);
+ }
+ }
+ return b.toString();
+ }
+
/**
* Returns the path to the resource to which the request should be
* redirected after successfully completing the form or an empty string if