You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by mb...@apache.org on 2021/07/04 22:07:55 UTC
[roller] branch master updated (58e61b0 -> 8e09e8f)
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git.
from 58e61b0 Merge pull request #90 from snoopdave/parse-referrer
new 97cf6e7 TagDataServlet input validation.
new 2c68105 OpenSearchServlet input validation.
new 21c3c32 weblog handle validation.
new 253c309 WeblogRequest and WeblogFeedRequest input validation.
new 89ec086 Exception handling can be simplified since velocity is now throwing subtypes of VelocityException.
new b498567 exception handling / logging.
new 2fc77ed added error pages for 400 and 500 errors.
new f816257 fix: this should be && not ||.
new 8e09e8f escape html in weblog title + remove non alphanumeric chars in tags.
The 9 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../business/jpa/JPAWeblogManagerImpl.java | 22 +++++++-
.../comments/CommentAuthenticatorUtils.java | 8 ++-
.../ui/rendering/servlets/CommentServlet.java | 6 +-
.../ui/rendering/servlets/FeedServlet.java | 2 +-
.../ui/rendering/servlets/SearchServlet.java | 19 +++----
.../ui/rendering/util/WeblogFeedRequest.java | 7 ++-
.../weblogger/ui/rendering/util/WeblogRequest.java | 10 ++--
.../rendering/velocity/RollerResourceLoader.java | 9 ++-
.../ui/rendering/velocity/VelocityRenderer.java | 55 +++---------------
.../velocity/VelocityRendererFactory.java | 21 +++----
.../weblogger/ui/struts2/editor/EntryBean.java | 10 ++--
.../webservices/opensearch/OpenSearchServlet.java | 66 +++++++++++-----------
.../webservices/tagdata/TagDataServlet.java | 58 +++++++++++++------
app/src/main/webapp/WEB-INF/web.xml | 17 +++++-
14 files changed, 163 insertions(+), 147 deletions(-)
[roller] 09/09: escape html in weblog title + remove non
alphanumeric chars in tags.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 8e09e8f9e82e796eb9cd8de2a894263218878159
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Tue Jun 22 02:15:11 2021 +0200
escape html in weblog title + remove non alphanumeric chars in tags.
---
.../apache/roller/weblogger/ui/struts2/editor/EntryBean.java | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java
index 79f4f91..bbc0eab 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java
@@ -21,6 +21,7 @@ package org.apache.roller.weblogger.ui.struts2.editor;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.commons.text.StringEscapeUtils;
import org.apache.roller.weblogger.WebloggerException;
import org.apache.roller.weblogger.business.WeblogEntryManager;
import org.apache.roller.weblogger.business.WebloggerFactory;
@@ -28,6 +29,7 @@ import org.apache.roller.weblogger.pojos.WeblogCategory;
import org.apache.roller.weblogger.pojos.WeblogEntry;
import org.apache.roller.weblogger.pojos.WeblogEntry.PubStatus;
import org.apache.roller.weblogger.pojos.WeblogEntryAttribute;
+import org.apache.roller.weblogger.util.Utilities;
import java.sql.Timestamp;
import java.text.DateFormat;
@@ -45,7 +47,7 @@ import java.util.TimeZone;
*/
public class EntryBean {
- private static Log log = LogFactory.getLog(EntryBean.class);
+ private static final Log log = LogFactory.getLog(EntryBean.class);
private String id = null;
private String title = null;
@@ -290,12 +292,12 @@ public class EntryBean {
public void copyTo(WeblogEntry entry) throws WebloggerException {
- entry.setTitle(getTitle());
+ entry.setTitle(StringEscapeUtils.escapeHtml4(getTitle()));
entry.setStatus(PubStatus.valueOf(getStatus()));
entry.setLocale(getLocale());
entry.setSummary(getSummary());
entry.setText(getText());
- entry.setTagsAsString(getTagsAsString());
+ entry.setTagsAsString(Utilities.replaceNonAlphanumeric(getTagsAsString(), ' '));
entry.setSearchDescription(getSearchDescription());
// figure out the category selected
@@ -337,7 +339,7 @@ public class EntryBean {
public void copyFrom(WeblogEntry entry, Locale locale) {
setId(entry.getId());
- setTitle(entry.getTitle());
+ setTitle(StringEscapeUtils.unescapeHtml4(entry.getTitle()));
setLocale(entry.getLocale());
setStatus(entry.getStatus().name());
setSummary(entry.getSummary());
[roller] 07/09: added error pages for 400 and 500 errors.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 2fc77ed38902933e526bd39730f1ba9c4eed7d4e
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Tue May 18 03:12:29 2021 +0200
added error pages for 400 and 500 errors.
---
app/src/main/webapp/WEB-INF/web.xml | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/app/src/main/webapp/WEB-INF/web.xml b/app/src/main/webapp/WEB-INF/web.xml
index 295dfaa..bd1a0ab 100644
--- a/app/src/main/webapp/WEB-INF/web.xml
+++ b/app/src/main/webapp/WEB-INF/web.xml
@@ -1,8 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
-<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
- version="3.0">
+ xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
+ version="4.0">
<display-name>Roller Weblogger</display-name>
@@ -463,10 +463,21 @@
</error-page>
<error-page>
+ <error-code>500</error-code>
+ <location>/roller-ui/errors/error.jsp</location>
+ </error-page>
+
+ <error-page>
<error-code>403</error-code>
<location>/roller-ui/errors/403.jsp</location>
</error-page>
+ <!-- 400 can reuse 404 template -->
+ <error-page>
+ <error-code>400</error-code>
+ <location>/roller-ui/errors/404.jsp</location>
+ </error-page>
+
<error-page>
<error-code>404</error-code>
<location>/roller-ui/errors/404.jsp</location>
[roller] 03/09: weblog handle validation.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 21c3c320b274c17eb3fe8a15d8b55c38d2eea4b2
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Mon Mar 22 04:52:02 2021 +0100
weblog handle validation.
---
.../business/jpa/JPAWeblogManagerImpl.java | 22 +++++++++++++++++++---
.../comments/CommentAuthenticatorUtils.java | 8 +++++---
.../ui/rendering/servlets/CommentServlet.java | 6 ++----
.../ui/rendering/servlets/SearchServlet.java | 19 +++++++++----------
4 files changed, 35 insertions(+), 20 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAWeblogManagerImpl.java b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAWeblogManagerImpl.java
index dc03c76..14530f5 100644
--- a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAWeblogManagerImpl.java
+++ b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAWeblogManagerImpl.java
@@ -362,11 +362,12 @@ public class JPAWeblogManagerImpl implements WeblogManager {
* Return weblog specified by handle.
*/
@Override
- public Weblog getWeblogByHandle(String handle, Boolean visible)
- throws WebloggerException {
+ public Weblog getWeblogByHandle(String handle, Boolean visible) throws WebloggerException {
- if (handle==null) {
+ if (handle == null) {
throw new WebloggerException("Handle cannot be null");
+ } else if (!isAlphanumeric(handle)) {
+ throw new WebloggerException("Invalid handle: '"+handle+"'");
}
// check cache first
@@ -704,4 +705,19 @@ public class JPAWeblogManagerImpl implements WeblogManager {
return results.get(0);
}
+ /**
+ * Returns true if alphanumeric or '_'.
+ */
+ private boolean isAlphanumeric(String str) {
+ if (str == null) {
+ return false;
+ }
+ for (int i = 0; i < str.length(); i++) {
+ if (!Character.isLetterOrDigit(str.charAt(i)) && str.charAt(i) != '_') {
+ return false;
+ }
+ }
+ return true;
+ }
+
}
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/CommentAuthenticatorUtils.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/CommentAuthenticatorUtils.java
index bb1ebe0..12a78f6 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/CommentAuthenticatorUtils.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/CommentAuthenticatorUtils.java
@@ -28,16 +28,18 @@ import javax.servlet.http.HttpServletRequest;
import java.util.Locale;
class CommentAuthenticatorUtils {
- private static Log log = LogFactory.getLog(CommentAuthenticatorUtils.class);
+ private static final Log log = LogFactory.getLog(CommentAuthenticatorUtils.class);
public static Locale getLocale(HttpServletRequest request) {
String handle = request.getParameter("weblog");
try {
Weblog weblog = WebloggerFactory.getWeblogger().getWeblogManager().getWeblogByHandle(handle);
- return weblog.getLocaleInstance();
+ if(weblog != null) {
+ return weblog.getLocaleInstance();
+ }
} catch (WebloggerException e) {
log.debug("Failed to determine weblog's locale. fallback to the locale of the request", e);
- return request.getLocale();
}
+ return request.getLocale();
}
}
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentServlet.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentServlet.java
index d8bb6bd..da50356 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentServlet.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentServlet.java
@@ -73,7 +73,7 @@ import org.apache.roller.weblogger.util.cache.CacheManager;
*/
public class CommentServlet extends HttpServlet {
- private static Log log = LogFactory.getLog(CommentServlet.class);
+ private static final Log log = LogFactory.getLog(CommentServlet.class);
private CommentAuthenticator authenticator = null;
private CommentValidationManager commentValidationManager = null;
@@ -202,9 +202,7 @@ public class CommentServlet extends HttpServlet {
try {
commentRequest = new WeblogCommentRequest(request);
- // lookup weblog specified by comment request
- weblog = WebloggerFactory.getWeblogger().getWeblogManager()
- .getWeblogByHandle(commentRequest.getWeblogHandle());
+ weblog = commentRequest.getWeblog();
if (weblog == null) {
throw new WebloggerException("unable to lookup weblog: "
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/SearchServlet.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/SearchServlet.java
index 79c441f..729d3bb 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/SearchServlet.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/SearchServlet.java
@@ -59,7 +59,7 @@ public class SearchServlet extends HttpServlet {
private static final long serialVersionUID = 6246730804167411636L;
- private static Log log = LogFactory.getLog(SearchServlet.class);
+ private static final Log log = LogFactory.getLog(SearchServlet.class);
// Development theme reloading
Boolean themeReload = false;
@@ -87,20 +87,19 @@ public class SearchServlet extends HttpServlet {
log.debug("Entering");
- Weblog weblog = null;
- WeblogSearchRequest searchRequest = null;
+ Weblog weblog;
+ WeblogSearchRequest searchRequest;
// first off lets parse the incoming request and validate it
try {
searchRequest = new WeblogSearchRequest(request);
// now make sure the specified weblog really exists
- weblog = WebloggerFactory
- .getWeblogger()
- .getWeblogManager()
- .getWeblogByHandle(searchRequest.getWeblogHandle(),
- Boolean.TRUE);
-
+ weblog = searchRequest.getWeblog();
+ if (weblog == null) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Weblog not found");
+ return;
+ }
} catch (Exception e) {
// invalid search request format or weblog doesn't exist
log.debug("error creating weblog search request", e);
@@ -229,7 +228,7 @@ public class SearchServlet extends HttpServlet {
}
// lookup Renderer we are going to use
- Renderer renderer = null;
+ Renderer renderer;
try {
log.debug("Looking up renderer");
renderer = RendererManager.getRenderer(page, deviceType);
[roller] 01/09: TagDataServlet input validation.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 97cf6e7d66d186fca9c184e077d1f7bd013f3988
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Mon Mar 22 03:05:19 2021 +0100
TagDataServlet input validation.
---
.../webservices/tagdata/TagDataServlet.java | 58 +++++++++++++++-------
1 file changed, 41 insertions(+), 17 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java b/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java
index 9d2fa31..5277319 100644
--- a/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java
+++ b/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java
@@ -26,6 +26,8 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
import org.apache.roller.weblogger.WebloggerException;
import org.apache.roller.weblogger.business.URLStrategy;
import org.apache.roller.weblogger.business.WeblogEntryManager;
@@ -44,7 +46,7 @@ import org.apache.roller.weblogger.util.Utilities;
* These URLs are supported:
* <ul>
* <li>/roller-services/tagdata - get tag data for entire site</li>
- * <li>/roller-services/tagdata/weblogs/[handle] - get tag data for specific weblog</li>
+ * <li>/roller-services/tagdata/weblog/[handle] - get tag data for specific weblog</li>
* </ul>
* See the <a href="http://cwiki.apache.org/confluence/display/ROLLER/Proposal+Tag+Data+API">
* Tag Data API</a> proposal for details.
@@ -70,36 +72,56 @@ public class TagDataServlet extends HttpServlet {
HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
- String[] pathInfo = new String[0];
- boolean siteWide;
- String handle;
- String prefix;
- String format = "json";
- int page = 0;
-
// TODO: last modified or ETag support, caching, etc.
+ String[] pathInfo = new String[0];
+
if (request.getPathInfo() != null) {
pathInfo = Utilities.stringToStringArray(request.getPathInfo(),"/");
}
+
+ boolean siteWide;
+ String handle;
+
if (pathInfo.length == 0) {
siteWide = true;
// we'll use the front-page weblog to form URLs
handle = WebloggerRuntimeConfig.getProperty("site.frontpage.weblog.handle");
- } else if (pathInfo.length == 2 && "weblog".equals(pathInfo[0])) {
+ } else if (pathInfo.length == 2 && "weblog".equals(pathInfo[0]) && StringUtils.isAlphanumeric(pathInfo[1])) {
siteWide = false;
handle = pathInfo[1];
} else {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Malformed URL");
return;
}
- prefix = request.getParameter("prefix");
+
+ String prefix = request.getParameter("prefix");
+
+ if(prefix != null && !StringUtils.isAlphanumeric(prefix)) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Malformed URL");
+ return;
+ }
+
+ String format = "json"; // default
+
if (request.getParameter("format") != null) {
+
format = request.getParameter("format");
+ if(!format.equals("json") || !format.equals("xml")) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Malformed URL");
+ return;
+ }
+ }
+
+ int page = 0;
+ if(request.getParameter("page") != null) {
+ try {
+ page = Integer.parseInt(request.getParameter("page"));
+ } catch (NumberFormatException notIgnored) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Malformed URL");
+ return;
+ }
}
- try {
- page = Integer.parseInt(request.getParameter("page"));
- } catch (Exception ignored) {}
Weblogger roller = WebloggerFactory.getWeblogger();
List<TagStat> tags;
@@ -108,6 +130,10 @@ public class TagDataServlet extends HttpServlet {
WeblogManager wmgr = roller.getWeblogManager();
WeblogEntryManager emgr = roller.getWeblogEntryManager();
weblog = wmgr.getWeblogByHandle(handle);
+ if(weblog == null) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Weblog not found");
+ return;
+ }
// get tags, if site-wide then don't specify weblog
tags = emgr.getTags(siteWide ? null : weblog, null, prefix, page * MAX, MAX + 1);
@@ -119,8 +145,8 @@ public class TagDataServlet extends HttpServlet {
if ("json".equals(format)) {
response.setContentType("application/json; charset=utf-8");
PrintWriter pw = response.getWriter();
- pw.println("{ \"prefix\": \"" + (prefix == null ? "" : prefix) + "\",");
- pw.println(" \"weblog\": \"" + (!siteWide ? handle : "") + "\",");
+ pw.println("{ \"prefix\": \"" + (prefix == null ? "" : StringEscapeUtils.escapeJson(prefix)) + "\",");
+ pw.println(" \"weblog\": \"" + (!siteWide ? weblog.getHandle() : "") + "\",");
pw.println(" \"tagcounts\": [" );
int count = 0;
for (Iterator it = tags.iterator(); it.hasNext();) {
@@ -177,8 +203,6 @@ public class TagDataServlet extends HttpServlet {
}
pw.println("</categories>");
response.flushBuffer();
- } else {
- response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Malformed URL");
}
}
}
[roller] 05/09: Exception handling can be simplified since velocity
is now throwing subtypes of VelocityException.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 89ec086fc031c082f345dd7548bac76afda4aba7
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Tue May 18 02:24:49 2021 +0200
Exception handling can be simplified since velocity is now throwing subtypes of VelocityException.
---
.../ui/rendering/velocity/VelocityRenderer.java | 55 +++-------------------
1 file changed, 7 insertions(+), 48 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/VelocityRenderer.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/VelocityRenderer.java
index e348a84..3ea45ba 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/VelocityRenderer.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/VelocityRenderer.java
@@ -32,8 +32,6 @@ import org.apache.roller.weblogger.ui.rendering.mobile.MobileDeviceRepository;
import org.apache.roller.weblogger.ui.rendering.model.UtilitiesModel;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.context.Context;
-import org.apache.velocity.exception.MethodInvocationException;
-import org.apache.velocity.exception.ParseErrorException;
import org.apache.velocity.exception.ResourceNotFoundException;
import org.apache.velocity.exception.VelocityException;
@@ -42,11 +40,11 @@ import org.apache.velocity.exception.VelocityException;
*/
public class VelocityRenderer implements Renderer {
- private static Log log = LogFactory.getLog(VelocityRenderer.class);
+ private static final Log log = LogFactory.getLog(VelocityRenderer.class);
// the original template we are supposed to render
- private Template renderTemplate = null;
- private MobileDeviceRepository.DeviceType deviceType = null;
+ private final Template renderTemplate;
+ private final MobileDeviceRepository.DeviceType deviceType;
// the velocity templates
private org.apache.velocity.Template velocityTemplate = null;
@@ -77,34 +75,13 @@ public class VelocityRenderer implements Renderer {
// failed
throw ex;
- } catch (ParseErrorException ex) {
- // in the case of a parsing error we want to render an
- // error page instead so the user knows what was wrong
- velocityException = ex;
-
- // need to lookup error page template
- velocityTemplate = RollerVelocity.getTemplate("error-page.vm",
- deviceType);
-
- } catch (MethodInvocationException ex) {
-
- // in the case of a invocation error we want to render an
- // error page instead so the user knows what was wrong
- velocityException = ex;
-
- // need to lookup error page template
- velocityTemplate = RollerVelocity.getTemplate("error-page.vm",
- deviceType);
-
} catch (VelocityException ex) {
-
- // in the case of a parsing error including a macro we want to
- // render an error page instead so the user knows what was wrong
+ // in the case of a velocity error we want to render an
+ // error page instead so the user knows what was wrong
velocityException = ex;
// need to lookup error page template
- velocityTemplate = RollerVelocity.getTemplate("error-page.vm",
- deviceType);
+ velocityTemplate = RollerVelocity.getTemplate("error-page.vm", deviceType);
} catch (Exception ex) {
// some kind of generic/unknown exception, dump it to the logs
@@ -172,27 +149,9 @@ public class VelocityRenderer implements Renderer {
log.debug("Rendered [" + renderTemplate.getId() + "] in "
+ renderTime + " secs");
- } catch (ParseErrorException ex) {
-
- // in the case of a parsing error including a page we want to render
- // an error on the page instead so the user knows what was wrong
- velocityException = ex;
-
- // need to lookup parse error template
- renderException(model, out, "error-parse.vm");
-
- } catch (MethodInvocationException ex) {
-
- // in the case of a parsing error including a page we want to render
- // an error on the page instead so the user knows what was wrong
- velocityException = ex;
-
- // need to lookup parse error template
- renderException(model, out, "error-parse.vm");
-
} catch (VelocityException ex) {
- // in the case of a parsing error including a macro we want to
+ // in the case of a velocity error including a page we want to
// render an error page instead so the user knows what was wrong
velocityException = ex;
[roller] 08/09: fix: this should be && not ||.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit f816257ce3517369dcf5aac844722bb92c2648e2
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Sun Jun 6 16:41:56 2021 +0200
fix: this should be && not ||.
---
.../org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java b/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java
index 5277319..a281bcd 100644
--- a/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java
+++ b/app/src/main/java/org/apache/roller/weblogger/webservices/tagdata/TagDataServlet.java
@@ -107,7 +107,7 @@ public class TagDataServlet extends HttpServlet {
if (request.getParameter("format") != null) {
format = request.getParameter("format");
- if(!format.equals("json") || !format.equals("xml")) {
+ if(!format.equals("json") && !format.equals("xml")) {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Malformed URL");
return;
}
[roller] 02/09: OpenSearchServlet input validation.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 2c68105e781492236857ef45e6960bb7736e0d45
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Tue May 18 03:08:41 2021 +0200
OpenSearchServlet input validation.
---
.../ui/rendering/servlets/FeedServlet.java | 2 +-
.../webservices/opensearch/OpenSearchServlet.java | 66 +++++++++++-----------
2 files changed, 35 insertions(+), 33 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/FeedServlet.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/FeedServlet.java
index e9fbda1..c05bdfd 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/FeedServlet.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/FeedServlet.java
@@ -55,7 +55,7 @@ import org.apache.roller.weblogger.ui.rendering.util.ModDateHeaderUtil;
*/
public class FeedServlet extends HttpServlet {
- private static Log log = LogFactory.getLog(FeedServlet.class);
+ private static final Log log = LogFactory.getLog(FeedServlet.class);
private WeblogFeedCache weblogFeedCache = null;
private SiteWideCache siteWideCache = null;
diff --git a/app/src/main/java/org/apache/roller/weblogger/webservices/opensearch/OpenSearchServlet.java b/app/src/main/java/org/apache/roller/weblogger/webservices/opensearch/OpenSearchServlet.java
index 9d31a97..fe8e7b5 100644
--- a/app/src/main/java/org/apache/roller/weblogger/webservices/opensearch/OpenSearchServlet.java
+++ b/app/src/main/java/org/apache/roller/weblogger/webservices/opensearch/OpenSearchServlet.java
@@ -23,7 +23,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.apache.commons.text.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
import org.apache.roller.weblogger.WebloggerException;
import org.apache.roller.weblogger.business.URLStrategy;
import org.apache.roller.weblogger.business.WebloggerFactory;
@@ -31,10 +31,11 @@ import org.apache.roller.weblogger.config.WebloggerRuntimeConfig;
import org.apache.roller.weblogger.pojos.Weblog;
import org.apache.roller.weblogger.util.Utilities;
+import static org.apache.commons.text.StringEscapeUtils.escapeXml11;
/**
* Return OpenSearch descriptor that describes Roller's search facilities.
- * For more informaton see the
+ * For more information see the
* <a href="http://cwiki.apache.org/confluence/display/ROLLER/Proposal+OpenSearch">OpenSearch proposal</a>.
* @author Dave Johnson (<a href="mailto:davidm.johnson@sun.com">davidm.johnson@sun.com</a>)
*/
@@ -46,18 +47,19 @@ public class OpenSearchServlet extends HttpServlet {
throws ServletException, IOException {
String[] pathInfo = new String[0];
- String handle = null;
// Will return descriptor for searching specified blog
if (request.getPathInfo() != null) {
pathInfo = Utilities.stringToStringArray(request.getPathInfo(), "/");
}
+ String handle;
+
if (pathInfo.length == 0) {
// URL format: [context]/roller-services/opensearch
handle = WebloggerRuntimeConfig.getProperty("site.frontpage.weblog.handle");
- } else if (pathInfo.length == 1) {
+ } else if (pathInfo.length == 1 && StringUtils.isAlphanumeric(pathInfo[0])) {
// URL format: [context]/roller-services/opensearch/[weblog-handle]
handle = pathInfo[0];
@@ -65,43 +67,44 @@ public class OpenSearchServlet extends HttpServlet {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Malformed URL");
return;
}
-
- String shortName = null;
- String description = null;
- String contact = null;
- String searchFeed = null;
- String searchPage = null;
- URLStrategy strat = WebloggerFactory.getWeblogger().getUrlStrategy();
- Weblog weblog = null;
+ Weblog weblog;
+
try {
weblog = WebloggerFactory.getWeblogger().getWeblogManager().getWeblogByHandle(handle);
+ if (weblog == null) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Weblog not found");
+ return;
+ }
} catch (WebloggerException ex) {
- throw new ServletException("ERROR: fetching specified weblog");
+ throw new ServletException("ERROR: fetching specified weblog", ex);
}
- searchPage = StringEscapeUtils.escapeXml11(
- strat.getWeblogSearchPageURLTemplate(weblog));
- searchFeed = StringEscapeUtils.escapeXml11(
- strat.getWeblogSearchFeedURLTemplate(weblog));
- boolean siteWide = WebloggerRuntimeConfig.isSiteWideWeblog(handle);
- if (siteWide) {
- shortName = "[Search Descriptor] " + StringEscapeUtils.escapeXml11(
- WebloggerRuntimeConfig.getProperty("site.shortName"));
- description = StringEscapeUtils.escapeXml11(
- WebloggerRuntimeConfig.getProperty("site.description"));
- contact = StringEscapeUtils.escapeXml11(
- WebloggerRuntimeConfig.getProperty("site.adminemail"));
-
+ String shortName;
+ String description;
+ String contact;
+ String searchFeed;
+ String searchPage;
+
+ URLStrategy strat = WebloggerFactory.getWeblogger().getUrlStrategy();
+ searchPage = escapeXml11(strat.getWeblogSearchPageURLTemplate(weblog));
+ searchFeed = escapeXml11(strat.getWeblogSearchFeedURLTemplate(weblog));
+
+ if (WebloggerRuntimeConfig.isSiteWideWeblog(handle)) {
+
+ shortName = "[Search Descriptor] " + escapeXml11(WebloggerRuntimeConfig.getProperty("site.shortName"));
+ description = escapeXml11(WebloggerRuntimeConfig.getProperty("site.description"));
+ contact = escapeXml11(WebloggerRuntimeConfig.getProperty("site.adminemail"));
+
} else {
- shortName = StringEscapeUtils.escapeXml11(weblog.getName());
- description = StringEscapeUtils.escapeXml11(weblog.getTagline());
- contact = StringEscapeUtils.escapeXml11(weblog.getEmailAddress());
+ shortName = escapeXml11(weblog.getName());
+ description = escapeXml11(weblog.getTagline());
+ contact = escapeXml11(weblog.getEmailAddress());
}
response.setContentType("application/opensearchdescription+xml");
- PrintWriter pw = new PrintWriter(response.getWriter());
+ PrintWriter pw = response.getWriter();
pw.println("<?xml version=\"1.0\" encoding=\"UTF-8\"?>");
pw.println("<OpenSearchDescription xmlns=\"http://a9.com/-/spec/opensearch/1.1/\">");
pw.println(" <ShortName>" + shortName + "</ShortName>");
@@ -112,8 +115,7 @@ public class OpenSearchServlet extends HttpServlet {
pw.println(" <Url type=\"text/html\" ");
pw.println(" template=\"" + searchPage + "\"/>");
pw.println("</OpenSearchDescription>");
- pw.flush();
- pw.close();
+ pw.flush();
}
}
[roller] 04/09: WeblogRequest and WeblogFeedRequest input
validation.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 253c309fa8fedf86230b71a5c6a89d41f65330c8
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Tue May 18 03:04:56 2021 +0200
WeblogRequest and WeblogFeedRequest input validation.
---
.../roller/weblogger/ui/rendering/util/WeblogFeedRequest.java | 7 +++++--
.../roller/weblogger/ui/rendering/util/WeblogRequest.java | 10 +++++-----
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogFeedRequest.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogFeedRequest.java
index 7b788a7..5a10855 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogFeedRequest.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogFeedRequest.java
@@ -22,6 +22,7 @@ import java.util.List;
import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.roller.weblogger.WebloggerException;
@@ -43,7 +44,7 @@ import org.apache.roller.weblogger.util.Utilities;
*/
public class WeblogFeedRequest extends WeblogRequest {
- private static Log log = LogFactory.getLog(WeblogFeedRequest.class);
+ private static final Log log = LogFactory.getLog(WeblogFeedRequest.class);
private static final String FEED_SERVLET = "/roller-ui/rendering/feed";
@@ -97,7 +98,9 @@ public class WeblogFeedRequest extends WeblogRequest {
if(pathInfo != null && pathInfo.trim().length() > 1) {
String[] pathElements = pathInfo.split("/");
- if(pathElements.length == 2) {
+ if(pathElements.length == 2
+ && StringUtils.isAlphanumeric(pathElements[0])
+ && StringUtils.isAlphanumeric(pathElements[1])) {
this.type = pathElements[0];
this.format = pathElements[1];
} else {
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogRequest.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogRequest.java
index 2e8468c..37fa6d8 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogRequest.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogRequest.java
@@ -20,6 +20,7 @@ package org.apache.roller.weblogger.ui.rendering.util;
import java.util.Locale;
import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.roller.weblogger.WebloggerException;
@@ -48,7 +49,7 @@ import org.apache.roller.weblogger.pojos.Weblog;
*/
public class WeblogRequest extends ParsedRequest {
- private static Log log = LogFactory.getLog(WeblogRequest.class);
+ private static final Log log = LogFactory.getLog(WeblogRequest.class);
// lightweight attributes
private String weblogHandle = null;
@@ -85,12 +86,11 @@ public class WeblogRequest extends ParsedRequest {
}
String[] pathElements = path.split("/", 2);
- if(!pathElements[0].isBlank()) {
+ if(StringUtils.isAlphanumeric(pathElements[0])) {
this.weblogHandle = pathElements[0];
} else {
- // no weblogHandle in path info
- throw new InvalidRequestException("not a weblog request, "+
- request.getRequestURL());
+ // no or invalid weblogHandle in path info
+ throw new InvalidRequestException("not a valid weblog request: "+request.getRequestURL());
}
// if there is more left of the path info then hold onto it
[roller] 06/09: exception handling / logging.
Posted by mb...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit b4985671aa7a4c097bb742caa2473ae0451c2fa6
Author: Michael Bien <mb...@gmail.com>
AuthorDate: Tue May 18 03:02:04 2021 +0200
exception handling / logging.
---
.../ui/rendering/velocity/RollerResourceLoader.java | 9 ++++-----
.../rendering/velocity/VelocityRendererFactory.java | 21 +++++++++++----------
2 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/RollerResourceLoader.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/RollerResourceLoader.java
index e81bf06..4159c64 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/RollerResourceLoader.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/RollerResourceLoader.java
@@ -46,7 +46,7 @@ import org.apache.velocity.util.ExtProperties;
*/
public class RollerResourceLoader extends ResourceLoader {
- private static Log logger = LogFactory.getLog(RollerResourceLoader.class);
+ private static final Log logger = LogFactory.getLog(RollerResourceLoader.class);
@Override
public void init(ExtProperties configuration) {
@@ -105,15 +105,14 @@ public class RollerResourceLoader extends ResourceLoader {
} catch (UnsupportedEncodingException uex) {
// This should never actually happen. We expect UTF-8 in all JRE
// installation.
- // This rethrows as a Runtime exception after logging.
- logger.error(uex);
+// logger.error(uex);
throw new RuntimeException(uex);
} catch (WebloggerException | ResourceNotFoundException re) {
String msg = "RollerResourceLoader Error: "
+ "database problem trying to load resource " + name;
- logger.error(msg, re);
- throw new ResourceNotFoundException(msg);
+// logger.error(msg, re);
+ throw new ResourceNotFoundException(msg, re);
}
}
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/VelocityRendererFactory.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/VelocityRendererFactory.java
index 631f573..62f55d2 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/VelocityRendererFactory.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/velocity/VelocityRendererFactory.java
@@ -28,44 +28,45 @@ import org.apache.roller.weblogger.pojos.TemplateRendition.TemplateLanguage;
import org.apache.roller.weblogger.ui.rendering.Renderer;
import org.apache.roller.weblogger.ui.rendering.RendererFactory;
import org.apache.roller.weblogger.ui.rendering.mobile.MobileDeviceRepository;
+import org.apache.velocity.exception.ResourceNotFoundException;
/**
* RendererFactory for Velocity, creates VelocityRenderers.
*/
public class VelocityRendererFactory implements RendererFactory {
- private static Log log = LogFactory.getLog(VelocityRendererFactory.class);
+ private static final Log log = LogFactory.getLog(VelocityRendererFactory.class);
@Override
public Renderer getRenderer(Template template,
MobileDeviceRepository.DeviceType deviceType) {
- Renderer renderer = null;
- TemplateRendition tr;
+ // nothing we can do with null values
if (template == null || template.getId() == null) {
return null;
}
- // nothing we can do with null values
+ TemplateRendition tr;
try {
tr = template.getTemplateRendition(RenditionType.STANDARD);
+ if (tr == null) {
+ return null;
+ }
} catch (WebloggerException e) {
return null;
}
- if (tr == null) {
- return null;
- }
+ Renderer renderer = null;
if (TemplateLanguage.VELOCITY.equals(tr.getTemplateLanguage())) {
// standard velocity template
try {
renderer = new VelocityRenderer(template, deviceType);
+ } catch (ResourceNotFoundException ex) {
+ // allready logged in VelocityRenderer
} catch(Exception ex) {
- log.error("ERROR creating VelocityRenderer", ex);
// some kind of exception so we don't have a renderer
- // we do catching/logging in VelocityRenderer constructor
- return null;
+ log.error("ERROR creating VelocityRenderer", ex);
}
}
return renderer;