You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by ju...@apache.org on 2018/03/29 17:45:23 UTC

[jspwiki] 04/05: Main page can be revealed when invoking some JSPs without parameters (reported by Motohiko Matsuda, thanks\!)

This is an automated email from the ASF dual-hosted git repository.

juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git

commit 7fc592edd627d1df2c18f0f0f801a53af1da92c6
Author: juanpablo <ju...@apache.org>
AuthorDate: Thu Mar 29 19:43:42 2018 +0200

    Main page can be revealed when invoking some JSPs without parameters (reported by Motohiko Matsuda, thanks\!)
---
 jspwiki-war/src/main/webapp/Comment.jsp      |  4 ++++
 jspwiki-war/src/main/webapp/Delete.jsp       |  6 +++++-
 jspwiki-war/src/main/webapp/Diff.jsp         | 16 ++++++++++------
 jspwiki-war/src/main/webapp/Edit.jsp         |  6 +++++-
 jspwiki-war/src/main/webapp/PageInfo.jsp     | 18 +++++++++++-------
 jspwiki-war/src/main/webapp/PageModified.jsp |  6 +++++-
 jspwiki-war/src/main/webapp/Preview.jsp      | 14 +++++++++-----
 jspwiki-war/src/main/webapp/Rename.jsp       | 10 +++++++---
 8 files changed, 56 insertions(+), 24 deletions(-)

diff --git a/jspwiki-war/src/main/webapp/Comment.jsp b/jspwiki-war/src/main/webapp/Comment.jsp
index 641727c..eb30968 100644
--- a/jspwiki-war/src/main/webapp/Comment.jsp
+++ b/jspwiki-war/src/main/webapp/Comment.jsp
@@ -61,6 +61,10 @@
     // Create wiki context and check for authorization
     WikiContext wikiContext = wiki.createContext( request, WikiContext.COMMENT );
     if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+    if( wikiContext.getCommand().getTarget() == null ) {
+        response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+        return;
+    }
     String pagereq = wikiContext.getName();
 
     ResourceBundle rb = Preferences.getBundle( wikiContext, "CoreResources" );
diff --git a/jspwiki-war/src/main/webapp/Delete.jsp b/jspwiki-war/src/main/webapp/Delete.jsp
index aba32e9..8e89d09 100644
--- a/jspwiki-war/src/main/webapp/Delete.jsp
+++ b/jspwiki-war/src/main/webapp/Delete.jsp
@@ -37,7 +37,11 @@
     WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
     // Create wiki context and check for authorization
     WikiContext wikiContext = wiki.createContext( request, WikiContext.DELETE );
-    if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+    if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+    if( wikiContext.getCommand().getTarget() == null ) {
+        response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+        return;
+    }
     String pagereq = wikiContext.getName();
 
     WikiPage wikipage      = wikiContext.getPage();
diff --git a/jspwiki-war/src/main/webapp/Diff.jsp b/jspwiki-war/src/main/webapp/Diff.jsp
index d8fae90..7dfaec2 100644
--- a/jspwiki-war/src/main/webapp/Diff.jsp
+++ b/jspwiki-war/src/main/webapp/Diff.jsp
@@ -14,7 +14,7 @@
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
-    under the License.  
+    under the License.
 --%>
 
 <%@ page import="org.apache.log4j.*" %>
@@ -26,23 +26,27 @@
 <%@ page errorPage="/Error.jsp" %>
 <%@ taglib uri="http://jspwiki.apache.org/tags" prefix="wiki" %>
 
-<%! 
-    Logger log = Logger.getLogger("JSPWiki"); 
+<%!
+    Logger log = Logger.getLogger("JSPWiki");
 %>
 
 <%
     WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
     // Create wiki context and check for authorization
     WikiContext wikiContext = wiki.createContext( request, WikiContext.DIFF );
-    if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+    if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+    if( wikiContext.getCommand().getTarget() == null ) {
+        response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+        return;
+    }
     String pagereq = wikiContext.getName();
 
     WatchDog w = wiki.getCurrentWatchDog();
     try
     {
     w.enterState("Generating INFO response",60);
-    
-    // Notused ? 
+
+    // Notused ?
     // String pageurl = wiki.encodeName( pagereq );
 
     // If "r1" is null, then assume current version (= -1)
diff --git a/jspwiki-war/src/main/webapp/Edit.jsp b/jspwiki-war/src/main/webapp/Edit.jsp
index c8efc65..3727204 100644
--- a/jspwiki-war/src/main/webapp/Edit.jsp
+++ b/jspwiki-war/src/main/webapp/Edit.jsp
@@ -53,7 +53,11 @@
     WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
     // Create wiki context and check for authorization
     WikiContext wikiContext = wiki.createContext( request, WikiContext.EDIT );
-    if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+    if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+    if( wikiContext.getCommand().getTarget() == null ) {
+        response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+        return;
+    }
     String pagereq = wikiContext.getName();
 
     WikiSession wikiSession = wikiContext.getWikiSession();
diff --git a/jspwiki-war/src/main/webapp/PageInfo.jsp b/jspwiki-war/src/main/webapp/PageInfo.jsp
index e6bd142..86885e4 100644
--- a/jspwiki-war/src/main/webapp/PageInfo.jsp
+++ b/jspwiki-war/src/main/webapp/PageInfo.jsp
@@ -14,7 +14,7 @@
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
-    under the License.  
+    under the License.
 --%>
 
 <%@ page import="org.apache.log4j.*" %>
@@ -24,21 +24,25 @@
 <%@ page errorPage="/Error.jsp" %>
 <%@ taglib uri="http://jspwiki.apache.org/tags" prefix="wiki" %>
 
-<%! 
-    Logger log = Logger.getLogger("JSPWiki"); 
+<%!
+    Logger log = Logger.getLogger("JSPWiki");
 %>
 
 <%
     WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
     // Create wiki context and check for authorization
     WikiContext wikiContext = wiki.createContext( request, WikiContext.INFO );
-    if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+    if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+    if( wikiContext.getCommand().getTarget() == null ) {
+        response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+        return;
+    }
     String pagereq = wikiContext.getName();
-    
+
     WatchDog w = wiki.getCurrentWatchDog();
-    try{
+    try {
     w.enterState("Generating INFO response",60);
-    
+
     // Set the content type and include the response content
     response.setContentType("text/html; charset="+wiki.getContentEncoding() );
     String contentPage = wiki.getTemplateManager().findJSP( pageContext,
diff --git a/jspwiki-war/src/main/webapp/PageModified.jsp b/jspwiki-war/src/main/webapp/PageModified.jsp
index 2437fab..99924cc 100644
--- a/jspwiki-war/src/main/webapp/PageModified.jsp
+++ b/jspwiki-war/src/main/webapp/PageModified.jsp
@@ -34,7 +34,11 @@
     WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
     // Create wiki context and check for authorization
     WikiContext wikiContext = wiki.createContext( request, WikiContext.CONFLICT );
-    if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+    if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+    if( wikiContext.getCommand().getTarget() == null ) {
+        response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+        return;
+    }
     String pagereq = wikiContext.getName();
 
     String usertext = (String)session.getAttribute( EditorManager.REQ_EDITEDTEXT );
diff --git a/jspwiki-war/src/main/webapp/Preview.jsp b/jspwiki-war/src/main/webapp/Preview.jsp
index 759a33f..1058fda 100644
--- a/jspwiki-war/src/main/webapp/Preview.jsp
+++ b/jspwiki-war/src/main/webapp/Preview.jsp
@@ -14,7 +14,7 @@
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
-    under the License.  
+    under the License.
 --%>
 
 <%@ page import="org.apache.log4j.*" %>
@@ -25,15 +25,19 @@
 <%@ page import="org.apache.wiki.ui.EditorManager" %>
 <%@ page errorPage="/Error.jsp" %>
 <%@ taglib uri="http://jspwiki.apache.org/tags" prefix="wiki" %>
-<%! 
-    Logger log = Logger.getLogger("JSPWiki"); 
+<%!
+    Logger log = Logger.getLogger("JSPWiki");
 %>
 
 <%
     WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
     // Create wiki context and check for authorization
     WikiContext wikiContext = wiki.createContext( request, WikiContext.PREVIEW );
-    if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+    if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+    if( wikiContext.getCommand().getTarget() == null ) {
+        response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+        return;
+    }
     String pagereq = wikiContext.getName();
 
     pageContext.setAttribute( EditorManager.ATTR_EDITEDTEXT,
@@ -45,7 +49,7 @@
     pageContext.setAttribute( "lastchange",
                               lastchange,
                               PageContext.REQUEST_SCOPE );
-   
+
     // Set the content type and include the response content
     response.setContentType("text/html; charset="+wiki.getContentEncoding() );
     String contentPage = wiki.getTemplateManager().findJSP( pageContext,
diff --git a/jspwiki-war/src/main/webapp/Rename.jsp b/jspwiki-war/src/main/webapp/Rename.jsp
index 1f4ba09..703787d 100644
--- a/jspwiki-war/src/main/webapp/Rename.jsp
+++ b/jspwiki-war/src/main/webapp/Rename.jsp
@@ -14,7 +14,7 @@
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
-    under the License.  
+    under the License.
 --%>
 
 <%@ page import="org.apache.log4j.*" %>
@@ -39,7 +39,11 @@
     WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
     // Create wiki context and check for authorization
 	WikiContext wikiContext = wiki.createContext( request, WikiContext.RENAME );
-    if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+	if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+    if( wikiContext.getCommand().getTarget() == null ) {
+        response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+        return;
+    }
 
     String renameFrom = wikiContext.getName();
     String renameTo = request.getParameter("renameto");
@@ -105,5 +109,5 @@
     String contentPage = wiki.getTemplateManager().findJSP( pageContext,
                                                             wikiContext.getTemplate(),
                                                             "ViewTemplate.jsp" );
-    
+
 %><wiki:Include page="<%=contentPage%>" />
\ No newline at end of file

-- 
To stop receiving notification emails like this one, please contact
juanpablo@apache.org.