You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by va...@apache.org on 2022/07/29 08:11:50 UTC
[qpid-broker-j] branch main updated: QPID-8594: [Broker-J] File Disclosure in management-http plugin (#136)
This is an automated email from the ASF dual-hosted git repository.
vavrtom pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
The following commit(s) were added to refs/heads/main by this push:
new 5589ece8c3 QPID-8594: [Broker-J] File Disclosure in management-http plugin (#136)
5589ece8c3 is described below
commit 5589ece8c31eeca7ebb127cf7a266af4fcf28c74
Author: Daniil Kirilyuk <da...@gmail.com>
AuthorDate: Fri Jul 29 10:11:46 2022 +0200
QPID-8594: [Broker-J] File Disclosure in management-http plugin (#136)
---
.../RewriteRequestForUncompressedJavascript.java | 34 +++++++++-------------
1 file changed, 14 insertions(+), 20 deletions(-)
diff --git a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RewriteRequestForUncompressedJavascript.java b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RewriteRequestForUncompressedJavascript.java
index 155a6af02e..f9280d6e0f 100644
--- a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RewriteRequestForUncompressedJavascript.java
+++ b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RewriteRequestForUncompressedJavascript.java
@@ -22,27 +22,23 @@
package org.apache.qpid.server.management.plugin.filter;
import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
-import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
-import org.apache.qpid.server.management.plugin.HttpManagementUtil;
-import org.apache.qpid.server.management.plugin.HttpRequestInteractiveAuthenticator;
-import org.apache.qpid.server.model.Broker;
-import org.apache.qpid.server.plugin.QpidServiceLoader;
+/**
+ * Filter is active when context variable "qpid.httpManagement.serveUncompressedDojo" has value true.
+ *
+ * It redirects request from regular dojo file to uncompressed dojo file,
+ * e.g. /dojo/dojo.js => /dojo/dojo.js.uncompressed.js
+ *
+ * Is used mostly for debug purposes.
+ */
public class RewriteRequestForUncompressedJavascript implements Filter
{
@@ -54,27 +50,25 @@ public class RewriteRequestForUncompressedJavascript implements Filter
{
}
-
@Override
public void destroy()
{
}
@Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
- ServletException
+ public void doFilter(final ServletRequest request,
+ final ServletResponse response,
+ final FilterChain chain) throws IOException, ServletException
{
-
final String requestURI = ((HttpServletRequest) request).getRequestURI();
- if (requestURI.endsWith(JS_SUFFIX) && !requestURI.endsWith(UNCOMPRESSED_JS_SUFFIX))
+ if (requestURI.endsWith(JS_SUFFIX) && !requestURI.endsWith(UNCOMPRESSED_JS_SUFFIX) && !requestURI.contains("../"))
{
- final String replacementRequestURI = requestURI + UNCOMPRESSED_JS_SUFFIX;
- request.getRequestDispatcher(replacementRequestURI).forward(request, response);
+ final String uncompressedJsUri = requestURI + UNCOMPRESSED_JS_SUFFIX;
+ request.getRequestDispatcher(uncompressedJsUri).forward(request, response);
}
else
{
chain.doFilter(request, response);
}
}
-
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org