You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by jb...@apache.org on 2009/03/25 15:40:35 UTC
svn commit: r758274 - in /geronimo/server/branches/2.1:
framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/
framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/util/
framework/modules/geronimo-s...
Author: jbohn
Date: Wed Mar 25 14:40:27 2009
New Revision: 758274
URL: http://svn.apache.org/viewvc?rev=758274&view=rev
Log:
merge rev. 758252 from branches/2.1.4 - GERONIMO-4597 Validate Web Admin Console input
Added:
geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/util/InputUtils.java
- copied unchanged from r758252, geronimo/server/branches/2.1.4/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/util/InputUtils.java
geronimo/server/branches/2.1/plugins/console/console-filter/
- copied from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/
geronimo/server/branches/2.1/plugins/console/console-filter/LICENSE.txt
- copied unchanged from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/LICENSE.txt
geronimo/server/branches/2.1/plugins/console/console-filter/NOTICE.txt
- copied unchanged from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/NOTICE.txt
geronimo/server/branches/2.1/plugins/console/console-filter/pom.xml
- copied, changed from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/pom.xml
geronimo/server/branches/2.1/plugins/console/console-filter/src/
- copied from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/
- copied from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/
- copied from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/java/
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/
- copied from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/java/org/
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/
- copied from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/java/org/apache/
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/
- copied from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/java/org/apache/geronimo/
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/
- copied from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/
- copied from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/FilterResponseWrapper.java
- copied unchanged from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/FilterResponseWrapper.java
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/ResponseOutputStream.java
- copied unchanged from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/ResponseOutputStream.java
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
- copied unchanged from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSRFHandler.java
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSHandler.java
- copied unchanged from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSHandler.java
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java
- copied unchanged from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/java/org/apache/geronimo/console/filter/XSSXSRFFilter.java
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/resources/
- copied from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/resources/
geronimo/server/branches/2.1/plugins/console/console-filter/src/main/resources/XSRF.js
- copied unchanged from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/src/main/resources/XSRF.js
Modified:
geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java
geronimo/server/branches/2.1/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
geronimo/server/branches/2.1/plugins/ca-helper/geronimo-ca-helper/pom.xml
geronimo/server/branches/2.1/plugins/ca-helper/geronimo-ca-helper/src/main/webapp/WEB-INF/web.xml
geronimo/server/branches/2.1/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/keystore/createKeystore.jsp
geronimo/server/branches/2.1/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp
geronimo/server/branches/2.1/plugins/console/console-portal-driver/pom.xml
geronimo/server/branches/2.1/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml
geronimo/server/branches/2.1/plugins/console/pom.xml
geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/pom.xml
geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/java/org/apache/geronimo/monitoring/console/MonitoringPortlet.java
geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringAddGraph.jsp
geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringAddView.jsp
geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditGraph.jsp
geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp
geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/web.xml
geronimo/server/branches/2.1/plugins/system-database/sysdb-portlets/src/main/java/org/apache/geronimo/console/internaldb/RunSQLHelper.java
geronimo/server/branches/2.1/plugins/system-database/sysdb-portlets/src/main/webapp/WEB-INF/view/internaldb/runSQLNormal.jsp
geronimo/server/branches/2.1/plugins/welcome/geronimo-welcome/pom.xml
geronimo/server/branches/2.1/plugins/welcome/geronimo-welcome/src/main/webapp/WEB-INF/web.xml
Modified: geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java (original)
+++ geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java Wed Mar 25 14:40:27 2009
@@ -23,6 +23,8 @@
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;
+import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.LinkedHashSet;
@@ -38,6 +40,7 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.geronimo.kernel.util.InputUtils;
import org.apache.geronimo.kernel.util.XmlUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -158,17 +161,7 @@
public void copyToRepository(File source, Artifact destination, FileWriteMonitor monitor) throws IOException {
// ensure there are no illegal chars in destination elements
- Matcher groupMatcher = ILLEGAL_CHARS.matcher(destination.getGroupId());
- Matcher artifactMatcher = ILLEGAL_CHARS.matcher(destination.getArtifactId());
- Matcher versionMatcher = ILLEGAL_CHARS.matcher(destination.getVersion().toString());
- Matcher typeMatcher = ILLEGAL_CHARS.matcher(destination.getType());
- if (groupMatcher.find() ||
- artifactMatcher.find() ||
- versionMatcher.find() ||
- typeMatcher.find())
- {
- throw new IllegalArgumentException("Artifact "+destination+" contains illegal characters, .. ( ) < > , ; : / \\ \' \" ");
- }
+ InputUtils.validateSafeInput(new ArrayList(Arrays.asList(destination.getGroupId(), destination.getArtifactId(), destination.getVersion().toString(), destination.getType())));
if(!destination.isResolved()) {
throw new IllegalArgumentException("Artifact "+destination+" is not fully resolved");
Modified: geronimo/server/branches/2.1/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java (original)
+++ geronimo/server/branches/2.1/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/keystore/FileKeystoreManager.java Wed Mar 25 14:40:27 2009
@@ -58,6 +58,7 @@
import org.apache.geronimo.kernel.config.ConfigurationUtil;
import org.apache.geronimo.kernel.config.EditableConfigurationManager;
import org.apache.geronimo.kernel.config.InvalidConfigException;
+import org.apache.geronimo.kernel.util.InputUtils;
import org.apache.geronimo.management.geronimo.KeyIsLocked;
import org.apache.geronimo.management.geronimo.KeystoreException;
import org.apache.geronimo.management.geronimo.KeystoreInstance;
@@ -367,6 +368,10 @@
}
public KeystoreInstance createKeystore(String name, char[] password, String keystoreType) throws KeystoreException {
+
+ // ensure there are no illegal chars in DB name
+ InputUtils.validateSafeInput(name);
+
File test = new File(directory, name);
if(test.exists()) {
throw new IllegalArgumentException("Keystore already exists "+test.getAbsolutePath()+"!");
Modified: geronimo/server/branches/2.1/plugins/ca-helper/geronimo-ca-helper/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/ca-helper/geronimo-ca-helper/pom.xml?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/ca-helper/geronimo-ca-helper/pom.xml (original)
+++ geronimo/server/branches/2.1/plugins/ca-helper/geronimo-ca-helper/pom.xml Wed Mar 25 14:40:27 2009
@@ -39,6 +39,12 @@
<dependencies>
<dependency>
+ <groupId>org.apache.geronimo.plugins</groupId>
+ <artifactId>console-filter</artifactId>
+ <version>${version}</version>
+ </dependency>
+
+ <dependency>
<groupId>org.apache.geronimo.framework</groupId>
<artifactId>geronimo-kernel</artifactId>
<version>${version}</version>
Modified: geronimo/server/branches/2.1/plugins/ca-helper/geronimo-ca-helper/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/ca-helper/geronimo-ca-helper/src/main/webapp/WEB-INF/web.xml?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/ca-helper/geronimo-ca-helper/src/main/webapp/WEB-INF/web.xml (original)
+++ geronimo/server/branches/2.1/plugins/ca-helper/geronimo-ca-helper/src/main/webapp/WEB-INF/web.xml Wed Mar 25 14:40:27 2009
@@ -23,6 +23,20 @@
<description>
CA Helper
</description>
+
+ <!-- XSS/XSRF filter -->
+ <filter>
+ <filter-name>XSSXSRFFilter</filter-name>
+ <filter-class>org.apache.geronimo.console.filter.XSSXSRFFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSXSRFFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+ <listener>
+ <listener-class>org.apache.geronimo.console.filter.XSSXSRFFilter</listener-class>
+ </listener>
+
<servlet>
<display-name>CertificateRequestServlet</display-name>
<servlet-name>CertificateRequestServlet</servlet-name>
Modified: geronimo/server/branches/2.1/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/keystore/createKeystore.jsp
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/keystore/createKeystore.jsp?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/keystore/createKeystore.jsp (original)
+++ geronimo/server/branches/2.1/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/keystore/createKeystore.jsp Wed Mar 25 14:40:27 2009
@@ -29,8 +29,12 @@
var <portlet:namespace/>requiredFields = new Array("filename", "password");
var <portlet:namespace/>passwordFields = new Array("password");
function <portlet:namespace/>validateForm(){
+ var illegalChars= /[\.]{2}|[()<>,;:\\/"'\|]/ ;
if(!textElementsNotEmpty(<portlet:namespace/>formName, <portlet:namespace/>requiredFields)) {
return false;
+ } else if (document.forms[<portlet:namespace/>formName].filename.value.match(illegalChars)) {
+ alert("Keystore name contains illegal characters");
+ return false;
}
if(!passwordElementsConfirm(<portlet:namespace/>formName, <portlet:namespace/>passwordFields)) {
return false;
Modified: geronimo/server/branches/2.1/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp (original)
+++ geronimo/server/branches/2.1/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp Wed Mar 25 14:40:27 2009
@@ -26,19 +26,19 @@
<c:set var="reslist" value="${requestScope['org.apache.geronimo.console.repo.list']}"/>
<style type="text/css">
- div.Hidden {
- display: none;
- }
-
- div.Shown {
- display: block;
- font-size: 10px;
- }
+ div.Hidden {
+ display: none;
+ }
+
+ div.Shown {
+ display: block;
+ font-size: 10px;
+ }
</style>
<script language="JavaScript">
function <portlet:namespace/>validateForm() {
- var illegalChars= /[\.]{2}|[()<>,;:\\/"']/ ;
+ var illegalChars= /[\.]{2}|[()<>,;:\\/"'\|]/ ;
if (! (document.<portlet:namespace/>fileSelect.local.value
&& document.<portlet:namespace/>fileSelect.group.value
&& document.<portlet:namespace/>fileSelect.artifact.value
Copied: geronimo/server/branches/2.1/plugins/console/console-filter/pom.xml (from r758252, geronimo/server/branches/2.1.4/plugins/console/console-filter/pom.xml)
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/console/console-filter/pom.xml?p2=geronimo/server/branches/2.1/plugins/console/console-filter/pom.xml&p1=geronimo/server/branches/2.1.4/plugins/console/console-filter/pom.xml&r1=758252&r2=758274&rev=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1.4/plugins/console/console-filter/pom.xml (original)
+++ geronimo/server/branches/2.1/plugins/console/console-filter/pom.xml Wed Mar 25 14:40:27 2009
@@ -25,7 +25,7 @@
<parent>
<groupId>org.apache.geronimo.plugins</groupId>
<artifactId>console</artifactId>
- <version>2.1.4-SNAPSHOT</version>
+ <version>2.1.5-SNAPSHOT</version>
</parent>
<artifactId>console-filter</artifactId>
Modified: geronimo/server/branches/2.1/plugins/console/console-portal-driver/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/console/console-portal-driver/pom.xml?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/console/console-portal-driver/pom.xml (original)
+++ geronimo/server/branches/2.1/plugins/console/console-portal-driver/pom.xml Wed Mar 25 14:40:27 2009
@@ -33,6 +33,12 @@
<packaging>war</packaging>
<dependencies>
+ <dependency>
+ <groupId>org.apache.geronimo.plugins</groupId>
+ <artifactId>console-filter</artifactId>
+ <version>${version}</version>
+ </dependency>
+
<!-- for jspc maven plugin -->
<dependency>
<groupId>org.apache.geronimo.framework</groupId>
Modified: geronimo/server/branches/2.1/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml (original)
+++ geronimo/server/branches/2.1/plugins/console/console-portal-driver/src/main/webapp/WEB-INF/web.xml Wed Mar 25 14:40:27 2009
@@ -31,6 +31,19 @@
<param-value>/WEB-INF/pluto-portal-driver-services-config.xml</param-value>
</context-param>
+ <!-- XSS/XSRF filter -->
+ <filter>
+ <filter-name>XSSXSRFFilter</filter-name>
+ <filter-class>org.apache.geronimo.console.filter.XSSXSRFFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSXSRFFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+ <listener>
+ <listener-class>org.apache.geronimo.console.filter.XSSXSRFFilter</listener-class>
+ </listener>
+
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
Modified: geronimo/server/branches/2.1/plugins/console/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/console/pom.xml?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/console/pom.xml (original)
+++ geronimo/server/branches/2.1/plugins/console/pom.xml Wed Mar 25 14:40:27 2009
@@ -48,6 +48,7 @@
<module>geronimo-converter</module>
<module>console-core</module>
<module>console-base-portlets</module>
+ <module>console-filter</module>
<module>console-portal-driver</module>
<module>console-ear</module>
<module>console-tomcat</module>
Modified: geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/pom.xml?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/pom.xml (original)
+++ geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/pom.xml Wed Mar 25 14:40:27 2009
@@ -37,6 +37,13 @@
<description>Geronimo Monitorin Console :: WEB Module</description>
<dependencies>
+
+ <dependency>
+ <groupId>org.apache.geronimo.plugins</groupId>
+ <artifactId>console-filter</artifactId>
+ <version>${version}</version>
+ </dependency>
+
<dependency>
<groupId>org.apache.geronimo.framework</groupId>
<artifactId>geronimo-management</artifactId>
Modified: geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/java/org/apache/geronimo/monitoring/console/MonitoringPortlet.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/java/org/apache/geronimo/monitoring/console/MonitoringPortlet.java?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/java/org/apache/geronimo/monitoring/console/MonitoringPortlet.java (original)
+++ geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/java/org/apache/geronimo/monitoring/console/MonitoringPortlet.java Wed Mar 25 14:40:27 2009
@@ -510,7 +510,7 @@
DBManager DBase = new DBManager();
Connection con = DBase.getConnection();
String name = actionRequest.getParameter("name");
- String description = actionRequest.getParameter("description");
+ String description = actionRequest.getParameter("minxss_description");
String[] graphsArray = actionRequest.getParameterValues("graph_ids");
if (graphsArray == null) {
graphsArray = new String[0];
@@ -553,7 +553,7 @@
DBManager DBase = new DBManager();
Connection con = DBase.getConnection();
String name = actionRequest.getParameter("name");
- String description = actionRequest.getParameter("description");
+ String description = actionRequest.getParameter("minxss_description");
String[] graphsArray = actionRequest.getParameterValues("graph_ids");
if (graphsArray == null) {
graphsArray = new String[0];
@@ -797,7 +797,7 @@
DBManager DBase = new DBManager();
Connection con = DBase.getConnection();
String name = actionRequest.getParameter("name");
- String description = actionRequest.getParameter("description");
+ String description = actionRequest.getParameter("minxss_description");
String server_id = actionRequest.getParameter("server_id");
String xlabel = actionRequest.getParameter("xlabel");
String ylabel = actionRequest.getParameter("ylabel");
@@ -870,7 +870,7 @@
actionResponse.setRenderParameter("graph_id", graph_id);
String name = actionRequest.getParameter("name");
- String description = actionRequest.getParameter("description");
+ String description = actionRequest.getParameter("minxss_description");
String server_id = actionRequest.getParameter("server_id");
String xlabel = actionRequest.getParameter("xlabel");
String ylabel = actionRequest.getParameter("ylabel");
Modified: geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringAddGraph.jsp
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringAddGraph.jsp?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringAddGraph.jsp (original)
+++ geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringAddGraph.jsp Wed Mar 25 14:40:27 2009
@@ -459,7 +459,7 @@
<td><fmt:message key="monitor.common.desc"/>:</td>
<td> </td>
<td align="right"><textarea rows="5" cols="50"
- name="description"></textarea></td>
+ name="minxss_description"></textarea></td>
<td></td>
</tr>
<tr>
Modified: geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringAddView.jsp
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringAddView.jsp?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringAddView.jsp (original)
+++ geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringAddView.jsp Wed Mar 25 14:40:27 2009
@@ -56,7 +56,7 @@
}
function validate() {
if (! (document.addView.name.value
- && document.addView.description.value ))
+ && document.addView.minxss_description.value ))
{
alert("Name and Description are required fields");
return false;
@@ -100,7 +100,7 @@
<tr>
<td><fmt:message key="monitor.common.desc"/>:</td>
<td> </td>
- <td align="right"><textarea rows="5" cols="50" name="description"></textarea></td>
+ <td align="right"><textarea rows="5" cols="50" name="minxss_description"></textarea></td>
</tr>
<tr>
<td><fmt:message key="monitor.common.graph"/>:</td>
Modified: geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditGraph.jsp
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditGraph.jsp?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditGraph.jsp (original)
+++ geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditGraph.jsp Wed Mar 25 14:40:27 2009
@@ -508,7 +508,7 @@
<tr>
<td><fmt:message key="monitor.common.desc"/>:</td>
<td> </td>
- <td align="right"><textarea rows="5" cols="50" name="description"><%=description%></textarea></td>
+ <td align="right"><textarea rows="5" cols="50" name="minxss_description"><%=description%></textarea></td>
<td></td>
</tr>
<tr>
Modified: geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp (original)
+++ geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp Wed Mar 25 14:40:27 2009
@@ -73,7 +73,7 @@
}
function validate() {
if (! (document.editView.name.value
- && document.editView.description.value ))
+ && document.editView.minxss_description.value ))
{
alert("Name and Description are required fields");
return false;
@@ -128,7 +128,7 @@
<tr>
<td><fmt:message key="monitor.common.desc"/>:</td>
<td> </td>
- <td align="right"><textarea rows="5" cols="50" name="description"><%=description%></textarea></td>
+ <td align="right"><textarea rows="5" cols="50" name="minxss_description"><%=description%></textarea></td>
</tr>
<tr>
<td valign="top"><fmt:message key="monitor.common.graph"/>:</td>
Modified: geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/web.xml?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/web.xml (original)
+++ geronimo/server/branches/2.1/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/web.xml Wed Mar 25 14:40:27 2009
@@ -19,6 +19,23 @@
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
+ <!-- XSS/XSRF filter -->
+ <filter>
+ <filter-name>XSSXSRFFilter</filter-name>
+ <filter-class>org.apache.geronimo.console.filter.XSSXSRFFilter</filter-class>
+ <init-param>
+ <param-name>enableXSRF</param-name>
+ <param-value>false</param-value>
+ </init-param>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSXSRFFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+ <listener>
+ <listener-class>org.apache.geronimo.console.filter.XSSXSRFFilter</listener-class>
+ </listener>
+
<servlet>
<servlet-name>monitoring</servlet-name>
<servlet-class>org.apache.pluto.core.PortletServlet</servlet-class>
Modified: geronimo/server/branches/2.1/plugins/system-database/sysdb-portlets/src/main/java/org/apache/geronimo/console/internaldb/RunSQLHelper.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/system-database/sysdb-portlets/src/main/java/org/apache/geronimo/console/internaldb/RunSQLHelper.java?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/system-database/sysdb-portlets/src/main/java/org/apache/geronimo/console/internaldb/RunSQLHelper.java (original)
+++ geronimo/server/branches/2.1/plugins/system-database/sysdb-portlets/src/main/java/org/apache/geronimo/console/internaldb/RunSQLHelper.java Wed Mar 25 14:40:27 2009
@@ -25,6 +25,8 @@
import java.sql.SQLException;
import java.sql.Statement;
+import org.apache.geronimo.kernel.util.InputUtils;
+
public class RunSQLHelper {
private final static Log log = LogFactory.getLog(RunSQLHelper.class);
@@ -46,6 +48,10 @@
private static final String BAK_PREFIX = "BAK_";
public String createDB(String dbName) {
+
+ // ensure there are no illegal chars in DB name
+ InputUtils.validateSafeInput(dbName);
+
String result = DB_CREATED_MSG + ": " + dbName;
Connection conn = null;
Modified: geronimo/server/branches/2.1/plugins/system-database/sysdb-portlets/src/main/webapp/WEB-INF/view/internaldb/runSQLNormal.jsp
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/system-database/sysdb-portlets/src/main/webapp/WEB-INF/view/internaldb/runSQLNormal.jsp?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/system-database/sysdb-portlets/src/main/webapp/WEB-INF/view/internaldb/runSQLNormal.jsp (original)
+++ geronimo/server/branches/2.1/plugins/system-database/sysdb-portlets/src/main/webapp/WEB-INF/view/internaldb/runSQLNormal.jsp Wed Mar 25 14:40:27 2009
@@ -28,9 +28,16 @@
var <portlet:namespace/>requiredFields2 = new Array("sqlStmts");
function <portlet:namespace/>validateForm1(){
+ var illegalChars= /[\.]{2}|[()<>,;:\\/"'\|]/ ;
var action = document.forms[<portlet:namespace/>formName].elements['action'];
action.value="Create";
- return textElementsNotEmpty(<portlet:namespace/>formName, <portlet:namespace/>requiredFields);
+ if (!textElementsNotEmpty(<portlet:namespace/>formName, <portlet:namespace/>requiredFields))
+ {
+ return false;
+ } else if (document.forms[<portlet:namespace/>formName].createDB.value.match(illegalChars)) {
+ alert("Database name contains illegal characters");
+ return false;
+ }
}
function <portlet:namespace/>validateForm2(){
var action = document.forms[<portlet:namespace/>formName].elements['action'];
Modified: geronimo/server/branches/2.1/plugins/welcome/geronimo-welcome/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/welcome/geronimo-welcome/pom.xml?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/welcome/geronimo-welcome/pom.xml (original)
+++ geronimo/server/branches/2.1/plugins/welcome/geronimo-welcome/pom.xml Wed Mar 25 14:40:27 2009
@@ -40,6 +40,12 @@
<dependencies>
<dependency>
+ <groupId>org.apache.geronimo.plugins</groupId>
+ <artifactId>console-filter</artifactId>
+ <version>${version}</version>
+ </dependency>
+
+ <dependency>
<groupId>org.apache.geronimo.framework</groupId>
<artifactId>geronimo-plugin</artifactId>
<version>${version}</version>
Modified: geronimo/server/branches/2.1/plugins/welcome/geronimo-welcome/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/plugins/welcome/geronimo-welcome/src/main/webapp/WEB-INF/web.xml?rev=758274&r1=758273&r2=758274&view=diff
==============================================================================
--- geronimo/server/branches/2.1/plugins/welcome/geronimo-welcome/src/main/webapp/WEB-INF/web.xml (original)
+++ geronimo/server/branches/2.1/plugins/welcome/geronimo-welcome/src/main/webapp/WEB-INF/web.xml Wed Mar 25 14:40:27 2009
@@ -26,46 +26,17 @@
Welcome to Geronimo
</description>
- <!--<servlet>-->
- <!--<servlet-name>jsp_sample_installer</servlet-name>-->
- <!--<servlet-class>org.apache.geronimo.welcome.AbsentSampleServlet</servlet-class>-->
- <!--<init-param>-->
- <!--<param-name>moduleId</param-name>-->
- <!--<param-value>org.apache.geronimo.samples/jsp-examples-SERVER//car</param-value>-->
- <!--</init-param>-->
- <!--</servlet>-->
-
- <!--<servlet>-->
- <!--<servlet-name>servlet_sample_installer</servlet-name>-->
- <!--<servlet-class>org.apache.geronimo.welcome.AbsentSampleServlet</servlet-class>-->
- <!--<init-param>-->
- <!--<param-name>moduleId</param-name>-->
- <!--<param-value>org.apache.geronimo.samples/servlet-examples-SERVER//car</param-value>-->
- <!--</init-param>-->
- <!--</servlet>-->
-
- <!--<servlet>-->
- <!--<servlet-name>ldap_sample_installer</servlet-name>-->
- <!--<servlet-class>org.apache.geronimo.welcome.AbsentSampleServlet</servlet-class>-->
- <!--<init-param>-->
- <!--<param-name>moduleId</param-name>-->
- <!--<param-value>org.apache.geronimo.samples/ldap-sample-app-SERVER//car</param-value>-->
- <!--</init-param>-->
- <!--</servlet>-->
-
- <!--<servlet-mapping>-->
- <!--<servlet-name>jsp_sample_installer</servlet-name>-->
- <!--<url-pattern>/jsp-examples/*</url-pattern>-->
- <!--</servlet-mapping>-->
-
- <!--<servlet-mapping>-->
- <!--<servlet-name>servlet_sample_installer</servlet-name>-->
- <!--<url-pattern>/servlets-examples/*</url-pattern>-->
- <!--</servlet-mapping>-->
-
- <!---<servlet-mapping>-->
- <!--<servlet-name>ldap_sample_installer</servlet-name>-->
- <!--<url-pattern>/ldap-demo/*</url-pattern>-->
- <!--</servlet-mapping>-->
+ <!-- XSS/XSRF filter -->
+ <filter>
+ <filter-name>XSSXSRFFilter</filter-name>
+ <filter-class>org.apache.geronimo.console.filter.XSSXSRFFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>XSSXSRFFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+ <listener>
+ <listener-class>org.apache.geronimo.console.filter.XSSXSRFFilter</listener-class>
+ </listener>
</web-app>