You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by ju...@apache.org on 2018/03/29 17:45:23 UTC
[jspwiki] 04/05: Main page can be revealed when invoking some JSPs
without parameters (reported by Motohiko Matsuda, thanks\!)
This is an automated email from the ASF dual-hosted git repository.
juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 7fc592edd627d1df2c18f0f0f801a53af1da92c6
Author: juanpablo <ju...@apache.org>
AuthorDate: Thu Mar 29 19:43:42 2018 +0200
Main page can be revealed when invoking some JSPs without parameters (reported by Motohiko Matsuda, thanks\!)
---
jspwiki-war/src/main/webapp/Comment.jsp | 4 ++++
jspwiki-war/src/main/webapp/Delete.jsp | 6 +++++-
jspwiki-war/src/main/webapp/Diff.jsp | 16 ++++++++++------
jspwiki-war/src/main/webapp/Edit.jsp | 6 +++++-
jspwiki-war/src/main/webapp/PageInfo.jsp | 18 +++++++++++-------
jspwiki-war/src/main/webapp/PageModified.jsp | 6 +++++-
jspwiki-war/src/main/webapp/Preview.jsp | 14 +++++++++-----
jspwiki-war/src/main/webapp/Rename.jsp | 10 +++++++---
8 files changed, 56 insertions(+), 24 deletions(-)
diff --git a/jspwiki-war/src/main/webapp/Comment.jsp b/jspwiki-war/src/main/webapp/Comment.jsp
index 641727c..eb30968 100644
--- a/jspwiki-war/src/main/webapp/Comment.jsp
+++ b/jspwiki-war/src/main/webapp/Comment.jsp
@@ -61,6 +61,10 @@
// Create wiki context and check for authorization
WikiContext wikiContext = wiki.createContext( request, WikiContext.COMMENT );
if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+ if( wikiContext.getCommand().getTarget() == null ) {
+ response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+ return;
+ }
String pagereq = wikiContext.getName();
ResourceBundle rb = Preferences.getBundle( wikiContext, "CoreResources" );
diff --git a/jspwiki-war/src/main/webapp/Delete.jsp b/jspwiki-war/src/main/webapp/Delete.jsp
index aba32e9..8e89d09 100644
--- a/jspwiki-war/src/main/webapp/Delete.jsp
+++ b/jspwiki-war/src/main/webapp/Delete.jsp
@@ -37,7 +37,11 @@
WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
// Create wiki context and check for authorization
WikiContext wikiContext = wiki.createContext( request, WikiContext.DELETE );
- if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+ if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+ if( wikiContext.getCommand().getTarget() == null ) {
+ response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+ return;
+ }
String pagereq = wikiContext.getName();
WikiPage wikipage = wikiContext.getPage();
diff --git a/jspwiki-war/src/main/webapp/Diff.jsp b/jspwiki-war/src/main/webapp/Diff.jsp
index d8fae90..7dfaec2 100644
--- a/jspwiki-war/src/main/webapp/Diff.jsp
+++ b/jspwiki-war/src/main/webapp/Diff.jsp
@@ -14,7 +14,7 @@
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
- under the License.
+ under the License.
--%>
<%@ page import="org.apache.log4j.*" %>
@@ -26,23 +26,27 @@
<%@ page errorPage="/Error.jsp" %>
<%@ taglib uri="http://jspwiki.apache.org/tags" prefix="wiki" %>
-<%!
- Logger log = Logger.getLogger("JSPWiki");
+<%!
+ Logger log = Logger.getLogger("JSPWiki");
%>
<%
WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
// Create wiki context and check for authorization
WikiContext wikiContext = wiki.createContext( request, WikiContext.DIFF );
- if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+ if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+ if( wikiContext.getCommand().getTarget() == null ) {
+ response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+ return;
+ }
String pagereq = wikiContext.getName();
WatchDog w = wiki.getCurrentWatchDog();
try
{
w.enterState("Generating INFO response",60);
-
- // Notused ?
+
+ // Notused ?
// String pageurl = wiki.encodeName( pagereq );
// If "r1" is null, then assume current version (= -1)
diff --git a/jspwiki-war/src/main/webapp/Edit.jsp b/jspwiki-war/src/main/webapp/Edit.jsp
index c8efc65..3727204 100644
--- a/jspwiki-war/src/main/webapp/Edit.jsp
+++ b/jspwiki-war/src/main/webapp/Edit.jsp
@@ -53,7 +53,11 @@
WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
// Create wiki context and check for authorization
WikiContext wikiContext = wiki.createContext( request, WikiContext.EDIT );
- if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+ if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+ if( wikiContext.getCommand().getTarget() == null ) {
+ response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+ return;
+ }
String pagereq = wikiContext.getName();
WikiSession wikiSession = wikiContext.getWikiSession();
diff --git a/jspwiki-war/src/main/webapp/PageInfo.jsp b/jspwiki-war/src/main/webapp/PageInfo.jsp
index e6bd142..86885e4 100644
--- a/jspwiki-war/src/main/webapp/PageInfo.jsp
+++ b/jspwiki-war/src/main/webapp/PageInfo.jsp
@@ -14,7 +14,7 @@
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
- under the License.
+ under the License.
--%>
<%@ page import="org.apache.log4j.*" %>
@@ -24,21 +24,25 @@
<%@ page errorPage="/Error.jsp" %>
<%@ taglib uri="http://jspwiki.apache.org/tags" prefix="wiki" %>
-<%!
- Logger log = Logger.getLogger("JSPWiki");
+<%!
+ Logger log = Logger.getLogger("JSPWiki");
%>
<%
WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
// Create wiki context and check for authorization
WikiContext wikiContext = wiki.createContext( request, WikiContext.INFO );
- if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+ if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+ if( wikiContext.getCommand().getTarget() == null ) {
+ response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+ return;
+ }
String pagereq = wikiContext.getName();
-
+
WatchDog w = wiki.getCurrentWatchDog();
- try{
+ try {
w.enterState("Generating INFO response",60);
-
+
// Set the content type and include the response content
response.setContentType("text/html; charset="+wiki.getContentEncoding() );
String contentPage = wiki.getTemplateManager().findJSP( pageContext,
diff --git a/jspwiki-war/src/main/webapp/PageModified.jsp b/jspwiki-war/src/main/webapp/PageModified.jsp
index 2437fab..99924cc 100644
--- a/jspwiki-war/src/main/webapp/PageModified.jsp
+++ b/jspwiki-war/src/main/webapp/PageModified.jsp
@@ -34,7 +34,11 @@
WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
// Create wiki context and check for authorization
WikiContext wikiContext = wiki.createContext( request, WikiContext.CONFLICT );
- if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+ if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+ if( wikiContext.getCommand().getTarget() == null ) {
+ response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+ return;
+ }
String pagereq = wikiContext.getName();
String usertext = (String)session.getAttribute( EditorManager.REQ_EDITEDTEXT );
diff --git a/jspwiki-war/src/main/webapp/Preview.jsp b/jspwiki-war/src/main/webapp/Preview.jsp
index 759a33f..1058fda 100644
--- a/jspwiki-war/src/main/webapp/Preview.jsp
+++ b/jspwiki-war/src/main/webapp/Preview.jsp
@@ -14,7 +14,7 @@
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
- under the License.
+ under the License.
--%>
<%@ page import="org.apache.log4j.*" %>
@@ -25,15 +25,19 @@
<%@ page import="org.apache.wiki.ui.EditorManager" %>
<%@ page errorPage="/Error.jsp" %>
<%@ taglib uri="http://jspwiki.apache.org/tags" prefix="wiki" %>
-<%!
- Logger log = Logger.getLogger("JSPWiki");
+<%!
+ Logger log = Logger.getLogger("JSPWiki");
%>
<%
WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
// Create wiki context and check for authorization
WikiContext wikiContext = wiki.createContext( request, WikiContext.PREVIEW );
- if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+ if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+ if( wikiContext.getCommand().getTarget() == null ) {
+ response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+ return;
+ }
String pagereq = wikiContext.getName();
pageContext.setAttribute( EditorManager.ATTR_EDITEDTEXT,
@@ -45,7 +49,7 @@
pageContext.setAttribute( "lastchange",
lastchange,
PageContext.REQUEST_SCOPE );
-
+
// Set the content type and include the response content
response.setContentType("text/html; charset="+wiki.getContentEncoding() );
String contentPage = wiki.getTemplateManager().findJSP( pageContext,
diff --git a/jspwiki-war/src/main/webapp/Rename.jsp b/jspwiki-war/src/main/webapp/Rename.jsp
index 1f4ba09..703787d 100644
--- a/jspwiki-war/src/main/webapp/Rename.jsp
+++ b/jspwiki-war/src/main/webapp/Rename.jsp
@@ -14,7 +14,7 @@
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
- under the License.
+ under the License.
--%>
<%@ page import="org.apache.log4j.*" %>
@@ -39,7 +39,11 @@
WikiEngine wiki = WikiEngine.getInstance( getServletConfig() );
// Create wiki context and check for authorization
WikiContext wikiContext = wiki.createContext( request, WikiContext.RENAME );
- if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response )) return;
+ if( !wiki.getAuthorizationManager().hasAccess( wikiContext, response ) ) return;
+ if( wikiContext.getCommand().getTarget() == null ) {
+ response.sendRedirect( wikiContext.getURL( wikiContext.getRequestContext(), wikiContext.getName() ) );
+ return;
+ }
String renameFrom = wikiContext.getName();
String renameTo = request.getParameter("renameto");
@@ -105,5 +109,5 @@
String contentPage = wiki.getTemplateManager().findJSP( pageContext,
wikiContext.getTemplate(),
"ViewTemplate.jsp" );
-
+
%><wiki:Include page="<%=contentPage%>" />
\ No newline at end of file
--
To stop receiving notification emails like this one, please contact
juanpablo@apache.org.