You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by se...@apache.org on 2013/06/19 11:56:28 UTC

svn commit: r866334 - /websites/production/commons/content/proper/commons-transaction/apidocs/index.html

Author: sebb
Date: Wed Jun 19 09:56:28 2013
New Revision: 866334

Log:
Apply fix for CVE-2013-1571, a frame injection attack

Modified:
    websites/production/commons/content/proper/commons-transaction/apidocs/index.html

Modified: websites/production/commons/content/proper/commons-transaction/apidocs/index.html
==============================================================================
--- websites/production/commons/content/proper/commons-transaction/apidocs/index.html (original)
+++ websites/production/commons/content/proper/commons-transaction/apidocs/index.html Wed Jun 19 09:56:28 2013
@@ -1,33 +1,69 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
-<!-- NewPage -->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html" charset="iso-8859-1">
-<title>Commons Transaction 1.3-SNAPSHOT API</title>
-<script type="text/javascript">
-    targetPage = "" + window.location.search;
-    if (targetPage != "" && targetPage != "undefined")
-        targetPage = targetPage.substring(1);
-    if (targetPage.indexOf(":") != -1)
-        targetPage = "undefined";
-    function loadFrames() {
-        if (targetPage != "" && targetPage != "undefined")
-             top.classFrame.location = top.targetPage;
-    }
-</script>
-</head>
-<frameset cols="20%,80%" title="Documentation frame" onload="top.loadFrames()">
-<frameset rows="30%,70%" title="Left frames" onload="top.loadFrames()">
-<frame src="overview-frame.html" name="packageListFrame" title="All Packages">
-<frame src="allclasses-frame.html" name="packageFrame" title="All classes and interfaces (except non-static nested types)">
-</frameset>
-<frame src="overview-summary.html" name="classFrame" title="Package, class and interface descriptions" scrolling="yes">
-<noframes>
-<noscript>
-<div>JavaScript is disabled on your browser.</div>
-</noscript>
-<h2>Frame Alert</h2>
-<p>This document is designed to be viewed using the frames feature. If you see this message, you are using a non-frame-capable web client. Link to <a href="overview-summary.html">Non-frame version</a>.</p>
-</noframes>
-</frameset>
-</html>
\ No newline at end of file
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
+<!-- NewPage -->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html" charset="iso-8859-1">
+<title>Commons Transaction 1.3-SNAPSHOT API</title>
+<script type="text/javascript">
+    targetPage = "" + window.location.search;
+    if (targetPage != "" && targetPage != "undefined")
+        targetPage = targetPage.substring(1);
+    if (targetPage.indexOf(":") != -1)
+        targetPage = "undefined";
+    if (targetPage != "" && !validURL(targetPage))
+        targetPage = "undefined";
+    function validURL(url) {
+        var pos = url.indexOf(".html");
+        if (pos == -1 || pos != url.length - 5)
+            return false;
+        var allowNumber = false;
+        var allowSep = false;
+        var seenDot = false;
+        for (var i = 0; i < url.length - 5; i++) {
+            var ch = url.charAt(i);
+            if ('a' <= ch && ch <= 'z' ||
+                    'A' <= ch && ch <= 'Z' ||
+                    ch == '$' ||
+                    ch == '_') {
+                allowNumber = true;
+                allowSep = true;
+            } else if ('0' <= ch && ch <= '9'
+                    || ch == '-') {
+                if (!allowNumber)
+                     return false;
+            } else if (ch == '/' || ch == '.') {
+                if (!allowSep)
+                    return false;
+                allowNumber = false;
+                allowSep = false;
+                if (ch == '.')
+                     seenDot = true;
+                if (ch == '/' && seenDot)
+                     return false;
+            } else {
+                return false;
+            }
+        }
+        return true;
+    }
+    function loadFrames() {
+        if (targetPage != "" && targetPage != "undefined")
+             top.classFrame.location = top.targetPage;
+    }
+</script>
+</head>
+<frameset cols="20%,80%" title="Documentation frame" onload="top.loadFrames()">
+<frameset rows="30%,70%" title="Left frames" onload="top.loadFrames()">
+<frame src="overview-frame.html" name="packageListFrame" title="All Packages">
+<frame src="allclasses-frame.html" name="packageFrame" title="All classes and interfaces (except non-static nested types)">
+</frameset>
+<frame src="overview-summary.html" name="classFrame" title="Package, class and interface descriptions" scrolling="yes">
+<noframes>
+<noscript>
+<div>JavaScript is disabled on your browser.</div>
+</noscript>
+<h2>Frame Alert</h2>
+<p>This document is designed to be viewed using the frames feature. If you see this message, you are using a non-frame-capable web client. Link to <a href="overview-summary.html">Non-frame version</a>.</p>
+</noframes>
+</frameset>
+</html>