You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by an...@apache.org on 2012/10/13 18:25:17 UTC
svn commit: r1397891 - in
/jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki:
FusekiLib.java mgt/ActionBackup.java mgt/ActionDataset.java
servlets/ResponseResultSet.java validation/DataValidator.java
Author: andy
Date: Sat Oct 13 16:25:16 2012
New Revision: 1397891
URL: http://svn.apache.org/viewvc?rev=1397891&view=rev
Log:
JENA-243 (suggested-xss-fixes.patch)
Modified:
jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/FusekiLib.java
jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/mgt/ActionBackup.java
jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/mgt/ActionDataset.java
jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/servlets/ResponseResultSet.java
jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/validation/DataValidator.java
Modified: jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/FusekiLib.java
URL: http://svn.apache.org/viewvc/jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/FusekiLib.java?rev=1397891&r1=1397890&r2=1397891&view=diff
==============================================================================
--- jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/FusekiLib.java (original)
+++ jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/FusekiLib.java Sat Oct 13 16:25:16 2012
@@ -23,6 +23,7 @@ import java.util.Map ;
import javax.servlet.http.HttpServletRequest ;
+import org.apache.commons.lang.StringUtils ;
import org.openjena.atlas.lib.MultiMap ;
import org.openjena.atlas.web.MediaType ;
import org.openjena.riot.Lang ;
@@ -176,5 +177,13 @@ public class FusekiLib
}
return map ;
}
+
+ public static String safeParameter(HttpServletRequest request, String pName)
+ {
+ String value = request.getParameter("dataset") ;
+ value = StringUtils.replaceChars(value, "\r", "") ;
+ value = StringUtils.replaceChars(value, "\n", "") ;
+ return value ;
+ }
}
Modified: jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/mgt/ActionBackup.java
URL: http://svn.apache.org/viewvc/jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/mgt/ActionBackup.java?rev=1397891&r1=1397890&r2=1397891&view=diff
==============================================================================
--- jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/mgt/ActionBackup.java (original)
+++ jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/mgt/ActionBackup.java Sat Oct 13 16:25:16 2012
@@ -20,12 +20,7 @@ package org.apache.jena.fuseki.mgt ;
import static java.lang.String.format ;
-import java.io.BufferedOutputStream ;
-import java.io.FileNotFoundException ;
-import java.io.FileOutputStream ;
-import java.io.IOException ;
-import java.io.OutputStream ;
-import java.io.PrintWriter ;
+import java.io.* ;
import java.util.concurrent.Callable ;
import java.util.concurrent.ExecutorService ;
import java.util.concurrent.Executors ;
@@ -35,6 +30,7 @@ import javax.servlet.http.HttpServletReq
import javax.servlet.http.HttpServletResponse ;
import org.apache.jena.fuseki.FusekiException ;
+import org.apache.jena.fuseki.FusekiLib ;
import org.apache.jena.fuseki.http.HttpSC ;
import org.apache.jena.fuseki.server.DatasetRef ;
import org.apache.jena.fuseki.server.DatasetRegistry ;
@@ -66,7 +62,7 @@ public class ActionBackup extends Servle
// request.getRemoteUser() ;
// request.getUserPrincipal() ;
- String dataset = request.getParameter("dataset") ;
+ String dataset = FusekiLib.safeParameter(request, "dataset") ;
if ( dataset == null )
{
response.sendError(HttpSC.BAD_REQUEST_400, "Required parameter missing: ?dataset=") ;
Modified: jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/mgt/ActionDataset.java
URL: http://svn.apache.org/viewvc/jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/mgt/ActionDataset.java?rev=1397891&r1=1397890&r2=1397891&view=diff
==============================================================================
--- jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/mgt/ActionDataset.java (original)
+++ jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/mgt/ActionDataset.java Sat Oct 13 16:25:16 2012
@@ -29,6 +29,7 @@ import javax.servlet.http.HttpServletRes
import javax.servlet.http.HttpSession ;
import org.apache.commons.codec.binary.Base64 ;
+import org.apache.jena.fuseki.FusekiLib ;
import org.apache.jena.fuseki.HttpNames ;
import org.apache.jena.fuseki.http.HttpSC ;
import org.apache.jena.fuseki.server.DatasetRegistry ;
@@ -42,7 +43,7 @@ public class ActionDataset extends HttpS
// request.getRemoteUser() ;
// request.getUserPrincipal() ;
- String dataset = request.getParameter("dataset") ;
+ String dataset = FusekiLib.safeParameter(request, "dataset") ;
HttpSession session = request.getSession(true) ;
session.setAttribute("dataset", dataset) ;
session.setMaxInactiveInterval(15*60) ; // 10 mins
Modified: jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/servlets/ResponseResultSet.java
URL: http://svn.apache.org/viewvc/jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/servlets/ResponseResultSet.java?rev=1397891&r1=1397890&r2=1397891&view=diff
==============================================================================
--- jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/servlets/ResponseResultSet.java (original)
+++ jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/servlets/ResponseResultSet.java Sat Oct 13 16:25:16 2012
@@ -26,6 +26,7 @@ import javax.servlet.ServletOutputStream
import javax.servlet.http.HttpServletRequest ;
import javax.servlet.http.HttpServletResponse ;
+import org.apache.commons.lang.StringUtils ;
import org.apache.jena.fuseki.DEF ;
import org.apache.jena.fuseki.FusekiException ;
import org.apache.jena.fuseki.conneg.ConNeg ;
@@ -80,7 +81,7 @@ public class ResponseResultSet
doResponseResultSet$(resultSet, null, request, response) ;
}
- // if we refatcor the conneg into a single function, we can split boolean and result set handling.
+ // If we refactor the conneg into a single function, we can split boolean and result set handling.
// One or the other argument must be null
private static void doResponseResultSet$(final ResultSet resultSet, final Boolean booleanResult, HttpServletRequest request, HttpServletResponse response)
@@ -97,7 +98,6 @@ public class ResponseResultSet
throw new FusekiException("Both result set and boolean result are set") ;
}
- // Content negotiation
String mimeType = null ;
MediaType i = ConNeg.chooseContentType(request, DEF.rsOffer, DEF.acceptRSXML) ;
if ( i != null )
@@ -296,6 +296,8 @@ public class ResponseResultSet
{
try {
String callback = ResponseOps.paramCallback(httpRequest) ;
+ callback = StringUtils.replaceChars(callback, "\r", "") ;
+ callback = StringUtils.replaceChars(callback, "\n", "") ;
ServletOutputStream out = httpResponse.getOutputStream() ;
if ( callback != null )
Modified: jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/validation/DataValidator.java
URL: http://svn.apache.org/viewvc/jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/validation/DataValidator.java?rev=1397891&r1=1397890&r2=1397891&view=diff
==============================================================================
--- jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/validation/DataValidator.java (original)
+++ jena/trunk/jena-fuseki/src/main/java/org/apache/jena/fuseki/validation/DataValidator.java Sat Oct 13 16:25:16 2012
@@ -29,6 +29,7 @@ import javax.servlet.ServletOutputStream
import javax.servlet.http.HttpServletRequest ;
import javax.servlet.http.HttpServletResponse ;
+import org.apache.jena.fuseki.FusekiLib ;
import org.openjena.atlas.io.IO ;
import org.openjena.atlas.lib.Sink ;
import org.openjena.atlas.lib.SinkWrapper ;
@@ -69,7 +70,7 @@ public class DataValidator extends Valid
if ( tokenizer == null )
return ;
- String syntax = httpRequest.getParameter(paramSyntax) ;
+ String syntax = FusekiLib.safeParameter(httpRequest, paramSyntax) ;
if ( syntax == null || syntax.equals("") )
syntax = Lang.NQUADS.getName() ;