This is an automated email from the ASF dual-hosted git repository.
olamy pushed a commit to branch archiva-2.x
in repository https://gitbox.apache.org/repos/asf/archiva.git
The following commit(s) were added to refs/heads/archiva-2.x by this push:
new d62e81c7e better testing of characters
d62e81c7e is described below
commit d62e81c7e75f617cf01d2a75952a2c857758f8c4
Author: Olivier Lamy <[email protected]>
AuthorDate: Tue Mar 14 16:51:46 2023 +1000
better testing of characters
Signed-off-by: Olivier Lamy <[email protected]>
---
.../archiva/web/api/DefaultFileUploadService.java | 29 ++++++++++++++--------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git
a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
index 83b3a3e6f..7bdf53ab3 100644
---
a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
+++
b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
@@ -262,6 +262,15 @@ public class DefaultFileUploadService
if (checkString.contains("/..")) {
return false;
}
+ if (checkString.contains("<")) {
+ return false;
+ }
+ if (checkString.contains(">")) {
+ return false;
+ }
+ if (checkString.contains("&")) {
+ return false;
+ }
return true;
}
@@ -280,11 +289,11 @@ public class DefaultFileUploadService
boolean generatePom )
throws ArchivaRestServiceException
{
- repositoryId = StringEscapeUtils.escapeJavaScript( StringUtils.trim(
repositoryId ) );
- groupId = StringEscapeUtils.escapeJavaScript( StringUtils.trim(
groupId ) );
- artifactId = StringEscapeUtils.escapeJavaScript( StringUtils.trim(
artifactId ) );
- version = StringEscapeUtils.escapeJavaScript( StringUtils.trim(
version ) );
- packaging = StringEscapeUtils.escapeJavaScript( StringUtils.trim(
packaging ) );
+ repositoryId = StringEscapeUtils.escapeHtml( StringUtils.trim(
repositoryId ) );
+ groupId = StringEscapeUtils.escapeHtml( StringUtils.trim( groupId ) );
+ artifactId = StringEscapeUtils.escapeHtml( StringUtils.trim(
artifactId ) );
+ version = StringEscapeUtils.escapeHtml( StringUtils.trim( version ) );
+ packaging = StringEscapeUtils.escapeHtml( StringUtils.trim( packaging
) );
checkParamChars("repositoryId", repositoryId);
checkParamChars("groupId", groupId);
@@ -378,11 +387,11 @@ public class DefaultFileUploadService
ManagedRepository repoConfig =
managedRepositoryAdmin.getManagedRepository( repositoryId );
- repositoryId = StringEscapeUtils.escapeJavaScript(
StringUtils.trim( repositoryId ) );
- groupId = StringEscapeUtils.escapeJavaScript( StringUtils.trim(
groupId ) );
- artifactId = StringEscapeUtils.escapeJavaScript( StringUtils.trim(
artifactId ) );
- version = StringEscapeUtils.escapeJavaScript( StringUtils.trim(
version ) );
- packaging = StringEscapeUtils.escapeJavaScript( StringUtils.trim(
packaging ) );
+ repositoryId = StringEscapeUtils.escapeHtml( StringUtils.trim(
repositoryId ) );
+ groupId = StringEscapeUtils.escapeHtml( StringUtils.trim( groupId
) );
+ artifactId = StringEscapeUtils.escapeHtml( StringUtils.trim(
artifactId ) );
+ version = StringEscapeUtils.escapeHtml( StringUtils.trim( version
) );
+ packaging = StringEscapeUtils.escapeHtml( StringUtils.trim(
packaging ) );
ArtifactReference artifactReference = new ArtifactReference();
artifactReference.setArtifactId( artifactId );
