You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by hu...@apache.org on 2014/11/18 14:41:29 UTC
git commit: updated refs/heads/master to 7e58a27
Repository: cloudstack
Updated Branches:
refs/heads/master 302d5195d -> 7e58a278a
CID-1232335/CID-1232336 Fix potential XSS
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/7e58a278
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/7e58a278
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/7e58a278
Branch: refs/heads/master
Commit: 7e58a278a0a6dc8af1759ea73287a7548e728557
Parents: 302d519
Author: Hugo Trippaers <ht...@schubergphilis.com>
Authored: Tue Nov 18 14:40:13 2014 +0100
Committer: Hugo Trippaers <ht...@schubergphilis.com>
Committed: Tue Nov 18 14:40:13 2014 +0100
----------------------------------------------------------------------
.../bridge/service/controller/s3/S3BucketAction.java | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/7e58a278/awsapi/src/com/cloud/bridge/service/controller/s3/S3BucketAction.java
----------------------------------------------------------------------
diff --git a/awsapi/src/com/cloud/bridge/service/controller/s3/S3BucketAction.java b/awsapi/src/com/cloud/bridge/service/controller/s3/S3BucketAction.java
index 6f6f12f..a0077a9 100644
--- a/awsapi/src/com/cloud/bridge/service/controller/s3/S3BucketAction.java
+++ b/awsapi/src/com/cloud/bridge/service/controller/s3/S3BucketAction.java
@@ -24,6 +24,7 @@ import java.io.OutputStream;
import java.io.Reader;
import java.io.StringWriter;
import java.io.Writer;
+import java.sql.SQLException;
import java.text.SimpleDateFormat;
import java.util.Calendar;
@@ -649,12 +650,12 @@ public class S3BucketAction implements ServletAction {
if (null == keyMarker)
xml.append("<KeyMarker/>");
else
- xml.append("<KeyMarker>").append(keyMarker).append("</KeyMarker");
+ xml.append("<KeyMarker>").append(StringEscapeUtils.escapeHtml(keyMarker)).append("</KeyMarker");
if (null == versionIdMarker)
xml.append("<VersionIdMarker/>");
else
- xml.append("<VersionIdMarker>").append(StringEscapeUtils.escapeHtml(keyMarker)).append("</VersionIdMarker");
+ xml.append("<VersionIdMarker>").append(StringEscapeUtils.escapeHtml(versionIdMarker)).append("</VersionIdMarker");
xml.append("<MaxKeys>").append(engineResponse.getMaxKeys()).append("</MaxKeys>");
xml.append("<IsTruncated>").append(engineResponse.isTruncated()).append("</IsTruncated>");
@@ -958,7 +959,7 @@ public class S3BucketAction implements ServletAction {
OrderedPair<S3MultipartUpload[], Boolean> result = uploadDao.getInitiatedUploads(bucketName, maxUploads, prefix, keyMarker, uploadIdMarker);
uploads = result.getFirst();
isTruncated = result.getSecond().booleanValue();
- } catch (Exception e) {
+ } catch (InstantiationException | IllegalAccessException | ClassNotFoundException | SQLException e) {
logger.error("List Multipart Uploads failed due to " + e.getMessage(), e);
response.setStatus(500);
}
@@ -966,9 +967,9 @@ public class S3BucketAction implements ServletAction {
StringBuffer xml = new StringBuffer();
xml.append("<?xml version=\"1.0\" encoding=\"utf-8\"?>");
xml.append("<ListMultipartUploadsResult xmlns=\"http://s3.amazonaws.com/doc/2006-03-01/\">");
- xml.append("<Bucket>").append(bucketName).append("</Bucket>");
+ xml.append("<Bucket>").append(StringEscapeUtils.escapeHtml(bucketName)).append("</Bucket>");
xml.append("<KeyMarker>").append((null == keyMarker ? "" : StringEscapeUtils.escapeHtml(keyMarker))).append("</KeyMarker>");
- xml.append("<UploadIdMarker>").append((null == uploadIdMarker ? "" : uploadIdMarker)).append("</UploadIdMarker>");
+ xml.append("<UploadIdMarker>").append((null == uploadIdMarker ? "" : StringEscapeUtils.escapeHtml(uploadIdMarker))).append("</UploadIdMarker>");
// [C] Construct the contents of the <Upload> element
StringBuffer partsList = new StringBuffer();