You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by ma...@apache.org on 2008/11/12 08:58:02 UTC
svn commit: r713300 - in
/myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main:
java/org/apache/myfaces/trinidadinternal/renderkit/core/xhtml/jsLibs/
java/org/apache/myfaces/trinidadinternal/util/nls/
xrts/org/apache/myfaces/trinidadinterna...
Author: matzew
Date: Tue Nov 11 23:58:01 2008
New Revision: 713300
URL: http://svn.apache.org/viewvc?rev=713300&view=rev
Log:
TRINIDAD-1258 - GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet
Thx to Yee-Wah Lee for her patch
Modified:
myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/java/org/apache/myfaces/trinidadinternal/renderkit/core/xhtml/jsLibs/NamedLocaleInfoScriptlet.java
myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/java/org/apache/myfaces/trinidadinternal/util/nls/LocaleUtils.java
myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/xrts/org/apache/myfaces/trinidadinternal/resource/LoggerBundle.xrts
Modified: myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/java/org/apache/myfaces/trinidadinternal/renderkit/core/xhtml/jsLibs/NamedLocaleInfoScriptlet.java
URL: http://svn.apache.org/viewvc/myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/java/org/apache/myfaces/trinidadinternal/renderkit/core/xhtml/jsLibs/NamedLocaleInfoScriptlet.java?rev=713300&r1=713299&r2=713300&view=diff
==============================================================================
--- myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/java/org/apache/myfaces/trinidadinternal/renderkit/core/xhtml/jsLibs/NamedLocaleInfoScriptlet.java (original)
+++ myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/java/org/apache/myfaces/trinidadinternal/renderkit/core/xhtml/jsLibs/NamedLocaleInfoScriptlet.java Tue Nov 11 23:58:01 2008
@@ -74,18 +74,18 @@
/*
* Append an argument to the URL to indicate if this is the page locale
*/
- protected String getLibraryURL(
- FacesContext context,
- RenderingContext arc)
+ protected String getExtraParameters(
+ FacesContext context,
+ RenderingContext arc)
{
- StringBuffer sb = new StringBuffer (super.getLibraryURL(context, arc));
+ StringBuffer sb = new StringBuffer (super.getExtraParameters (context, arc));
if (!(_locale.equals(arc.getLocaleContext().getFormattingLocale())))
{
- sb.append("?skipTranslations=true");
+ sb.append("&skipTranslations=true");
}
return sb.toString();
}
-
+
/* Register as a distinct scriptlet for each locale, i.e. <country, language, Oraclevariant> */
@Override
public Object getScriptletKey()
Modified: myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/java/org/apache/myfaces/trinidadinternal/util/nls/LocaleUtils.java
URL: http://svn.apache.org/viewvc/myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/java/org/apache/myfaces/trinidadinternal/util/nls/LocaleUtils.java?rev=713300&r1=713299&r2=713300&view=diff
==============================================================================
--- myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/java/org/apache/myfaces/trinidadinternal/util/nls/LocaleUtils.java (original)
+++ myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/java/org/apache/myfaces/trinidadinternal/util/nls/LocaleUtils.java Tue Nov 11 23:58:01 2008
@@ -21,6 +21,8 @@
import java.util.Locale;
import org.apache.myfaces.trinidad.context.LocaleContext;
+import javax.faces.context.FacesContext;
+import org.apache.myfaces.trinidad.logging.TrinidadLogger;
/**
* Utility class dealing with Locale-related issues, including
@@ -123,7 +125,67 @@
}
}
+ /*
+ * Validate the rules for Locale per its Javadoc:
+ * - The language argument is a valid ISO Language Code.
+ * These codes are the lower-case, two-letter codes as defined by ISO-639.
+ * - The country argument is a valid ISO Country Code. These
+ * codes are the upper-case, two-letter codes as defined by ISO-3166.
+ *
+ * Rather than checking a list, we check the length and case and ignore
+ * the arguments which fail to meet those criteria (use defaults instead).
+ */
+ if (language.length() != 2)
+ {
+ language = "";
+ _LOG.warning("INVALID_LOCALE_LANG_LENGTH", ianaString);
+ }
+ else
+ {
+ if (Character.isUpperCase(language.charAt(0)) ||
+ Character.isUpperCase(language.charAt(1)))
+ {
+ language = "";
+ _LOG.warning("INVALID_LOCALE_LANG_CASE", ianaString);
+ }
+ }
+ if (language.length() == 0)
+ {
+ Locale defaultLocale =
+ FacesContext.getCurrentInstance().getViewRoot().getLocale();
+ return defaultLocale;
+ }
+
+ if (country.length() > 0)
+ {
+ if (country.length() != 2)
+ {
+ country = "";
+ _LOG.warning("INVALID_LOCALE_COUNTRY_LENGTH", ianaString);
+ }
+ else
+ {
+ if (Character.isLowerCase(country.charAt(0)) ||
+ Character.isLowerCase(country.charAt(1)))
+ {
+ country = "";
+ _LOG.warning("INVALID_LOCALE_COUNTRY_CASE", ianaString);
+ }
+ }
+ }
+
+ if (variant.indexOf('/') > 0)
+ {
+ // Disallow slashes in the variant to avoid XSS
+ variant = "";
+ _LOG.warning("INVALID_LOCALE_VARIANT_HAS_SLASH", ianaString);
+ }
+
+
+
return new Locale(language, country, variant);
}
+ static private final TrinidadLogger _LOG = TrinidadLogger.createTrinidadLogger(LocaleUtils.class);
+
}
Modified: myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/xrts/org/apache/myfaces/trinidadinternal/resource/LoggerBundle.xrts
URL: http://svn.apache.org/viewvc/myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/xrts/org/apache/myfaces/trinidadinternal/resource/LoggerBundle.xrts?rev=713300&r1=713299&r2=713300&view=diff
==============================================================================
--- myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/xrts/org/apache/myfaces/trinidadinternal/resource/LoggerBundle.xrts (original)
+++ myfaces/trinidad/branches/1.2.10.1-branch/trinidad-impl/src/main/xrts/org/apache/myfaces/trinidadinternal/resource/LoggerBundle.xrts Tue Nov 11 23:58:01 2008
@@ -1055,4 +1055,19 @@
<!-- DATETIMERANGEVALIDATOR_REQUIRES_VALUEHOLDER -->
<resource key="DATETIMERANGEVALIDATOR_REQUIRES_EDITABLEVALUEHOLDER">The DateTimeRangeValidator requires the component to be an EditableValueHolder for client validation to work. Client validation will be disabled for component {0}.</resource>
+<!-- INVALID_LOCALE_LANG_LENGTH -->
+<resource key="INVALID_LOCALE_LANG_LENGTH">Invalid language for Locale identifier {0} - language code must be 2 characters, see Locale javadoc for correct format. Will use current page locale.</resource>
+
+<!-- INVALID_LOCALE_LANG_CASE -->
+<resource key="INVALID_LOCALE_LANG_CASE">Invalid language for Locale identifier {0} - language code must be in lowercase, see Locale javadoc for correct format. Will use current page locale.</resource>
+
+<!-- INVALID_LOCALE_COUNTRY_LENGTH -->
+<resource key="INVALID_LOCALE_COUNTRY_LENGTH">Invalid country for Locale identifier {0} - country code must be 2 characters, see Locale javadoc for correct format. Will use empty string for country</resource>
+
+<!-- INVALID_LOCALE_COUNTRY_CASE -->
+<resource key="INVALID_LOCALE_COUNTRY_CASE">Invalid country for Locale identifier {0} - country code must be in uppercase, see Locale javadoc for correct format. Will use empty string for country</resource>
+
+<!-- INVALID_LOCALE_VARIANT_HAS_SLASH -->
+<resource key="INVALID_LOCALE_VARIANT_HAS_SLASH">Invalid variant for Locale identifier {0} - cannot contain slashes to avoid XSS attack. Will use empty string for variant.</resource>
+
</resources>