You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ra...@apache.org on 2020/01/28 15:19:46 UTC
[sling-org-apache-sling-xss] branch master updated: SLING-9035 - The XSSProtectionAPIWebConsolePlugin fails to load resources when deployed under a custom context path

This is an automated email from the ASF dual-hosted git repository.

radu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git


The following commit(s) were added to refs/heads/master by this push:
     new 08aac0f  SLING-9035 - The XSSProtectionAPIWebConsolePlugin fails to load resources when deployed under a custom context path
08aac0f is described below

commit 08aac0f66c92119b3c3f54c7ff8a356dd5374df6
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Tue Jan 28 16:19:30 2020 +0100

    SLING-9035 - The XSSProtectionAPIWebConsolePlugin fails to load resources when deployed under a custom context path
    
    * make the plugin extract the console path (including context path) from the URI instead of hard-coding a value
---
 .../XSSProtectionAPIWebConsolePlugin.java          | 46 +++++++++++-----------
 1 file changed, 24 insertions(+), 22 deletions(-)

diff --git a/src/main/java/org/apache/sling/xss/impl/webconsole/XSSProtectionAPIWebConsolePlugin.java b/src/main/java/org/apache/sling/xss/impl/webconsole/XSSProtectionAPIWebConsolePlugin.java
index 74161d0..0293aed 100644
--- a/src/main/java/org/apache/sling/xss/impl/webconsole/XSSProtectionAPIWebConsolePlugin.java
+++ b/src/main/java/org/apache/sling/xss/impl/webconsole/XSSProtectionAPIWebConsolePlugin.java
@@ -70,12 +70,12 @@ public class XSSProtectionAPIWebConsolePlugin extends HttpServlet {
     static final String LABEL = "xssprotection";
     static final String TITLE= "XSS Protection";
 
-    private static final String URI_ROOT = "/system/console/" + LABEL;
-    private static final String URI_CONFIG_XHR = URI_ROOT + "/config.xhr";
-    private static final String URI_BLOCKED_XHR = URI_ROOT + "/blocked.json";
-    private static final String URI_CONFIG_XML = URI_ROOT + "/config.xml";
+    private static final String PLUGIN_ROOT_PATH = "/" + LABEL;
+    private static final String URI_CONFIG_XHR = PLUGIN_ROOT_PATH + "/config.xhr";
+    private static final String URI_BLOCKED_XHR = PLUGIN_ROOT_PATH + "/blocked.json";
+    private static final String URI_CONFIG_XML = PLUGIN_ROOT_PATH + "/config.xml";
     private static final String INTERNAL_RESOURCES_FOLDER = "/webconsole";
-    private static final String RES_ROOT = URI_ROOT + INTERNAL_RESOURCES_FOLDER;
+    private static final String RES_ROOT = PLUGIN_ROOT_PATH + INTERNAL_RESOURCES_FOLDER;
     private static final String RES_URI_PRETTIFY_CSS = RES_ROOT + "/prettify.css";
     private static final String RES_URI_PRETTIFY_JS = RES_ROOT + "/prettify.js";
     private static final String RES_URI_XSS_CSS = RES_ROOT + "/xss.css";
@@ -96,29 +96,31 @@ public class XSSProtectionAPIWebConsolePlugin extends HttpServlet {
             RES_URI_CONFIG_JS));
 
     @Override
-    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
-        String file = FilenameUtils.getName(request.getRequestURI());
-        if (file != null && CSS_RESOURCES.contains(request.getRequestURI())) {
-            streamResource(response, file, "text/css");
-        } else if (file != null && JS_RESOURCES.contains(request.getRequestURI())) {
-            streamResource(response, file, "application/javascript");
-        } else if (URI_CONFIG_XHR.equalsIgnoreCase(request.getRequestURI()) && xssFilter != null) {
-            writeAntiSamyConfiguration(response);
-        } else if (URI_CONFIG_XML.equalsIgnoreCase(request.getRequestURI()) && xssFilter != null) {
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
+        String pluginResource = request.getPathInfo();
+        String consoleRoot = request.getRequestURI().substring(0, request.getRequestURI().indexOf(pluginResource));
+        if (CSS_RESOURCES.contains(pluginResource)) {
+            streamResource(response, FilenameUtils.getName(pluginResource), "text/css");
+        } else if (JS_RESOURCES.contains(pluginResource)) {
+            streamResource(response, FilenameUtils.getName(pluginResource), "application/javascript");
+        } else if (URI_CONFIG_XHR.equalsIgnoreCase(pluginResource) && xssFilter != null) {
+            writeAntiSamyConfiguration(consoleRoot, response);
+        } else if (URI_CONFIG_XML.equalsIgnoreCase(pluginResource) && xssFilter != null) {
             streamAntiSamyConfiguration(response);
-        } else if (URI_BLOCKED_XHR.equalsIgnoreCase(request.getRequestURI())) {
+        } else if (URI_BLOCKED_XHR.equalsIgnoreCase(pluginResource)) {
             generateInvalidUrlsJSONReport(response);
         } else {
             try {
                 PrintWriter printWriter = response.getWriter();
-                printWriter.printf(LINK_TAG, RES_URI_XSS_CSS);
-                printWriter.printf(SCRIPT_TAG, RES_URI_XSS_JS);
+                printWriter.printf(LINK_TAG, consoleRoot + RES_URI_XSS_CSS);
+                printWriter.printf(SCRIPT_TAG, consoleRoot + RES_URI_XSS_JS);
                 printWriter.println("<div id='xss-tabs'>");
                 printWriter.println("<ul>");
                 printWriter.println("<li id='blocked-tab'><a href='#blocked'><span>Status</span></a></li>");
                 if (xssFilter != null) {
                     printWriter.println(
-                            String.format("<li id='config-tab'><a href='%s'><span>Active Configuration</span></a></li>", URI_CONFIG_XHR));
+                            String.format("<li id='config-tab'><a href='%s'><span>Active Configuration</span></a></li>",
+                                    consoleRoot + URI_CONFIG_XHR));
                 }
                 printWriter.println("</ul>");
                 printWriter.println("<div id='blocked'>");
@@ -169,17 +171,17 @@ public class XSSProtectionAPIWebConsolePlugin extends HttpServlet {
 
     }
 
-    private void writeAntiSamyConfiguration(HttpServletResponse response) {
+    private void writeAntiSamyConfiguration(String consoleRoot, HttpServletResponse response) {
         response.setContentType("text/html");
         XSSFilterImpl xssFilterImpl = (XSSFilterImpl) xssFilter;
         XSSFilterImpl.AntiSamyPolicy antiSamyPolicy = xssFilterImpl.getActivePolicy();
         if (antiSamyPolicy != null) {
             try {
                 PrintWriter printWriter = response.getWriter();
-                printWriter.printf(SCRIPT_TAG, RES_URI_CONFIG_JS);
+                printWriter.printf(SCRIPT_TAG, consoleRoot + RES_URI_CONFIG_JS);
                 printWriter.write("<div id='config'>");
-                printWriter.printf(LINK_TAG, RES_URI_PRETTIFY_CSS);
-                printWriter.printf(SCRIPT_TAG, RES_URI_PRETTIFY_JS);
+                printWriter.printf(LINK_TAG, consoleRoot + RES_URI_PRETTIFY_CSS);
+                printWriter.printf(SCRIPT_TAG, consoleRoot + RES_URI_PRETTIFY_JS);
                 printWriter.write("<p class='statline ui-state-highlight'>The current AntiSamy configuration ");
                 if (antiSamyPolicy.isEmbedded()) {
                     printWriter.write("is the default one embedded in the org.apache.sling.xss bundle.");