This is an automated email from the ASF dual-hosted git repository.
brushed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
The following commit(s) were added to refs/heads/master by this push:
new fbca816 2.11.0-M4-git-10 [JSPWIKI-1107] Fixing XSS vulnerability in
various plugins
fbca816 is described below
commit fbca81686104b50909a5a71b63ad476e39c59d56
Author: brushed <[email protected]>
AuthorDate: Sun Apr 28 20:20:29 2019 +0200
2.11.0-M4-git-10 [JSPWIKI-1107] Fixing XSS vulnerability in various plugins
---
ChangeLog | 8 ++++-
.../src/main/java/org/apache/wiki/Release.java | 2 +-
.../apache/wiki/plugin/AbstractReferralPlugin.java | 34 ++++++++++-----------
.../main/java/org/apache/wiki/plugin/Denounce.java | 3 +-
.../apache/wiki/plugin/ReferredPagesPlugin.java | 5 ++--
.../apache/wiki/plugin/ReferringPagesPlugin.java | 35 +++++++++++-----------
.../org/apache/wiki/plugin/SessionsPlugin.java | 17 ++++++-----
.../org/apache/wiki/plugin/TableOfContents.java | 20 ++++++-------
.../org/apache/wiki/plugin/WeblogEntryPlugin.java | 9 +++---
9 files changed, 72 insertions(+), 61 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index e0a0b23..5c9ee7e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,9 +1,15 @@
+2019-04-28 Dirk Frederickx (brushed AT apache DOT org)
+
+ * 2.11.0-M4-git-10
+
+ * [JSPWIKI-1107] Fixing XSS vulnerability in various plugins.
+
2019-04-28 Juan Pablo Santos (juanpablo AT apache DOT org)
* 2.11.0-M4-git-09
* [JSPWIKI-1110] Upgrade bundled dependencies for 2.11.0.M4
-
+
* generate aggregated javadocs for
http://jspwiki.apache.org/apidocs/index.html
2019-04-27 Dirk Frederickx (brushed AT apache DOT org)
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/Release.java
b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
index 86876a7..c3e026e 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/Release.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
@@ -72,7 +72,7 @@ public final class Release {
* <p>
* If the build identifier is empty, it is not added.
*/
- public static final String BUILD = "09";
+ public static final String BUILD = "10";
/**
* This is the generic version string you should use when printing out
the version. It is of
diff --git
a/jspwiki-main/src/main/java/org/apache/wiki/plugin/AbstractReferralPlugin.java
b/jspwiki-main/src/main/java/org/apache/wiki/plugin/AbstractReferralPlugin.java
index d6d6afa..6e6c8dd 100644
---
a/jspwiki-main/src/main/java/org/apache/wiki/plugin/AbstractReferralPlugin.java
+++
b/jspwiki-main/src/main/java/org/apache/wiki/plugin/AbstractReferralPlugin.java
@@ -14,7 +14,7 @@
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
- under the License.
+ under the License.
*/
package org.apache.wiki.plugin;
@@ -74,7 +74,7 @@ import org.apache.wiki.util.comparators.LocaleComparator;
* <li><b>sortOrder</b> - specifies the sort order for the resulting list.
Options are
* 'human', 'java', 'locale' or a <code>RuleBasedCollator</code> rule string.
(since 2.8.3)</li>
* </ul>
- *
+ *
*/
public abstract class AbstractReferralPlugin implements WikiPlugin
{
@@ -82,37 +82,37 @@ public abstract class AbstractReferralPlugin implements
WikiPlugin
/** Magic value for rendering all items. */
public static final int ALL_ITEMS = -1;
-
+
/** Parameter name for setting the maximum width. Value is
<tt>{@value}</tt>. */
public static final String PARAM_MAXWIDTH = "maxwidth";
/** Parameter name for the separator string. Value is <tt>{@value}</tt>.
*/
public static final String PARAM_SEPARATOR = "separator";
-
+
/** Parameter name for the output after the link. Value is
<tt>{@value}</tt>. */
public static final String PARAM_AFTER = "after";
-
+
/** Parameter name for the output before the link. Value is
<tt>{@value}</tt>. */
public static final String PARAM_BEFORE = "before";
/** Parameter name for setting the list of excluded patterns. Value is
<tt>{@value}</tt>. */
public static final String PARAM_EXCLUDE = "exclude";
-
+
/** Parameter name for setting the list of included patterns. Value is
<tt>{@value}</tt>. */
public static final String PARAM_INCLUDE = "include";
-
+
/** Parameter name for the show parameter. Value is <tt>{@value}</tt>. */
public static final String PARAM_SHOW = "show";
-
+
/** Parameter name for setting show to "pages". Value is
<tt>{@value}</tt>. */
public static final String PARAM_SHOW_VALUE_PAGES = "pages";
-
+
/** Parameter name for setting show to "count". Value is
<tt>{@value}</tt>. */
public static final String PARAM_SHOW_VALUE_COUNT = "count";
-
+
/** Parameter name for showing the last modification count. Value is
<tt>{@value}</tt>. */
public static final String PARAM_LASTMODIFIED = "showLastModified";
-
+
/** Parameter name for specifying the sort order. Value is
<tt>{@value}</tt>. */
protected static final String PARAM_SORTORDER = "sortOrder";
protected static final String PARAM_SORTORDER_HUMAN = "human";
@@ -127,7 +127,7 @@ public abstract class AbstractReferralPlugin implements
WikiPlugin
protected Pattern[] m_exclude;
protected Pattern[] m_include;
protected PageSorter m_sorter;
-
+
protected String m_show = "pages";
protected boolean m_lastModified=false;
// the last modified date of the page that has been last modified:
@@ -154,7 +154,7 @@ public abstract class AbstractReferralPlugin implements
WikiPlugin
if( s != null )
{
- m_separator = s;
+ m_separator = TextUtil.replaceEntities( s );
// pre-2.1.145 there was a separator at the end of the list
// if they set the parameters, we use the new format of
// before Item1 after separator before Item2 after separator
before Item3 after
@@ -249,7 +249,7 @@ public abstract class AbstractReferralPlugin implements
WikiPlugin
}
}
}
-
+
initSorter( context, params );
}
@@ -264,7 +264,7 @@ public abstract class AbstractReferralPlugin implements
WikiPlugin
/**
* Filters a collection according to the include and exclude parameters.
- *
+ *
* @param c The collection to filter.
* @return A filtered collection.
*/
@@ -341,7 +341,7 @@ public abstract class AbstractReferralPlugin implements
WikiPlugin
/**
* Filters and sorts a collection according to the include and exclude
parameters.
- *
+ *
* @param c The collection to filter.
* @return A filtered and sorted collection.
*/
@@ -453,7 +453,7 @@ public abstract class AbstractReferralPlugin implements
WikiPlugin
return text;
}
}
-
+
/**
* Helper method to initialize the comparator for this page.
*/
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/plugin/Denounce.java
b/jspwiki-main/src/main/java/org/apache/wiki/plugin/Denounce.java
index 225f5ee..55b8bbf 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/plugin/Denounce.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/plugin/Denounce.java
@@ -41,6 +41,7 @@ import org.apache.oro.text.regex.Perl5Matcher;
import org.apache.wiki.WikiContext;
import org.apache.wiki.api.exceptions.PluginException;
import org.apache.wiki.api.plugin.WikiPlugin;
+import org.apache.wiki.util.TextUtil;
/**
* Denounces a link by removing it from any search engine.
@@ -164,7 +165,7 @@ public class Denounce implements WikiPlugin
if( linkAllowed )
{
// FIXME: Should really call TranslatorReader
- return "<a href=\""+link+"\">"+text+"</a>";
+ return "<a href=\""+link+"\">"+ TextUtil.replaceEntities(text)
+"</a>";
}
return c_denounceText;
diff --git
a/jspwiki-main/src/main/java/org/apache/wiki/plugin/ReferredPagesPlugin.java
b/jspwiki-main/src/main/java/org/apache/wiki/plugin/ReferredPagesPlugin.java
index 0d8059d..f950079 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/plugin/ReferredPagesPlugin.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/plugin/ReferredPagesPlugin.java
@@ -223,7 +223,7 @@ public class ReferredPagesPlugin implements WikiPlugin {
}
//See https://www.w3.org/wiki/HTML_lists for proper
nesting of UL and LI
- m_result.append("<li> " + link + "\n");
+ m_result.append("<li> " + TextUtil.replaceEntities(link) +
"\n");
getReferredPages( context, link, depth ); // added
recursive call - on general request
@@ -237,7 +237,8 @@ public class ReferredPagesPlugin implements WikiPlugin {
}
String href = context.getURL(WikiContext.VIEW,link);
- m_result.append("<li><a class=\"wikipage\" href=\""+ href
+"\">"+link+"</a>\n" );
+ m_result.append("<li><a class=\"wikipage\" href=\""+ href +
"\">"
+ + TextUtil.replaceEntities(link) + "</a>\n" );
m_exists.add( link );
diff --git
a/jspwiki-main/src/main/java/org/apache/wiki/plugin/ReferringPagesPlugin.java
b/jspwiki-main/src/main/java/org/apache/wiki/plugin/ReferringPagesPlugin.java
index e1ed0dc..c25e916 100644
---
a/jspwiki-main/src/main/java/org/apache/wiki/plugin/ReferringPagesPlugin.java
+++
b/jspwiki-main/src/main/java/org/apache/wiki/plugin/ReferringPagesPlugin.java
@@ -1,4 +1,4 @@
-/*
+/*
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
@@ -14,7 +14,7 @@
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
- under the License.
+ under the License.
*/
package org.apache.wiki.plugin;
@@ -41,7 +41,7 @@ import org.apache.wiki.util.TextUtil;
* <li><b>extras</b> - How to announce extras.</li>
* <li><b>page</b> - Which page to get the table of contents from.</li>
* </ul>
- *
+ *
* From AbstractReferralPlugin:
* <ul>
* <li><b>separator</b> - How to separate generated links; default is a
wikitext line break,
@@ -57,16 +57,16 @@ public class ReferringPagesPlugin
/** Parameter name for setting the maximum items to show. Value is
<tt>{@value}</tt>. */
public static final String PARAM_MAX = "max";
- /** Parameter name for setting the text to show when the maximum items is
overruled.
- * Value is <tt>{@value}</tt>.
+ /** Parameter name for setting the text to show when the maximum items is
overruled.
+ * Value is <tt>{@value}</tt>.
*/
public static final String PARAM_EXTRAS = "extras";
-
+
/**
* Parameter name for choosing the page. Value is <tt>{@value}</tt>.
*/
public static final String PARAM_PAGE = "page";
-
+
/**
* {@inheritDoc}
*/
@@ -76,16 +76,16 @@ public class ReferringPagesPlugin
ReferenceManager refmgr = context.getEngine().getReferenceManager();
String pageName = params.get( PARAM_PAGE );
ResourceBundle rb = Preferences.getBundle( context,
WikiPlugin.CORE_PLUGINS_RESOURCEBUNDLE );
-
+
StringBuilder result = new StringBuilder( 256 );
-
+
if( pageName == null )
{
pageName = context.getPage().getName();
}
WikiPage page = context.getEngine().getPage( pageName );
-
+
if( page != null )
{
Collection< String > links = refmgr.findReferrers( page.getName()
);
@@ -94,28 +94,29 @@ public class ReferringPagesPlugin
super.initialize( context, params );
int items = TextUtil.parseIntParameter( params.get( PARAM_MAX ),
ALL_ITEMS );
- String extras = params.get( PARAM_EXTRAS );
+
+ String extras = TextUtil.replaceEntities( params.get( PARAM_EXTRAS
) );
if( extras == null )
{
extras = rb.getString("referringpagesplugin.more");
}
-
+
if( log.isDebugEnabled() )
log.debug( "Fetching referring pages for "+page.getName()+
" with a max of "+items);
-
+
if( links != null && links.size() > 0 )
{
links = filterAndSortCollection( links );
wikitext = wikitizeCollection( links, m_separator, items );
result.append( makeHTML( context, wikitext ) );
-
+
if( items < links.size() && items > 0 )
{
Object[] args = { "" + ( links.size() - items) };
extras = MessageFormat.format(extras, args);
-
+
result.append( "<br />" );
result.append( "<a class='morelink'
href='"+context.getURL( WikiContext.INFO, page.getName() )+"' ");
result.append( ">"+extras+"</a><br />");
@@ -128,7 +129,7 @@ public class ReferringPagesPlugin
if (links == null || links.size() == 0)
{
wikitext = rb.getString("referringpagesplugin.nobody");
-
+
result.append( makeHTML( context, wikitext ) );
}
else
@@ -143,7 +144,7 @@ public class ReferringPagesPlugin
}
}
}
-
+
return result.toString();
}
diff --git
a/jspwiki-main/src/main/java/org/apache/wiki/plugin/SessionsPlugin.java
b/jspwiki-main/src/main/java/org/apache/wiki/plugin/SessionsPlugin.java
index e78d7e8..141a69e 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/plugin/SessionsPlugin.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/plugin/SessionsPlugin.java
@@ -1,4 +1,4 @@
-/*
+/*
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
@@ -14,7 +14,7 @@
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
- under the License.
+ under the License.
*/
package org.apache.wiki.plugin;
@@ -28,12 +28,13 @@ import org.apache.wiki.WikiEngine;
import org.apache.wiki.WikiSession;
import org.apache.wiki.api.exceptions.PluginException;
import org.apache.wiki.api.plugin.WikiPlugin;
+import org.apache.wiki.util.TextUtil;
/**
* <p>Displays information about active wiki sessions. The parameter
* <code>property</code> specifies what information is displayed.
* If omitted, the number of sessions is returned.
- *
+ *
* <p>Parameters : </p>
* <ul>
* <li><b>property</b> - specify what output to display, valid values
are:</li>
@@ -51,7 +52,7 @@ public class SessionsPlugin
{
/** The parameter name for setting the property value. */
public static final String PARAM_PROP = "property";
-
+
/**
* {@inheritDoc}
*/
@@ -60,7 +61,7 @@ public class SessionsPlugin
{
WikiEngine engine = context.getEngine();
String prop = params.get( PARAM_PROP );
-
+
if ( "users".equals( prop ) )
{
Principal[] principals = WikiSession.userPrincipals( engine );
@@ -70,7 +71,7 @@ public class SessionsPlugin
s.append(principals[i].getName() + ", ");
}
// remove the last comma and blank :
- return s.substring(0, s.length() - (s.length() > 2 ? 2 : 0) );
+ return TextUtil.replaceEntities( s.substring(0, s.length() -
(s.length() > 2 ? 2 : 0) ) );
}
//
@@ -109,7 +110,9 @@ public class SessionsPlugin
s.append( entry.getKey() + "(" + entry.getValue().toString() +
"), " );
}
// remove the last comma and blank :
- if (s.length() >= 2) return s.substring(0, s.length() - 2);
+ //if (s.length() >= 2) return s.substring(0, s.length() - 2);
+ return TextUtil.replaceEntities( s.substring(0, s.length() -
(s.length() > 2 ? 2 : 0) ) );
+
}
return String.valueOf( WikiSession.sessions( engine ) );
diff --git
a/jspwiki-main/src/main/java/org/apache/wiki/plugin/TableOfContents.java
b/jspwiki-main/src/main/java/org/apache/wiki/plugin/TableOfContents.java
index 268e2a2..e7a4f9c 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/plugin/TableOfContents.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/plugin/TableOfContents.java
@@ -14,7 +14,7 @@
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
- under the License.
+ under the License.
*/
package org.apache.wiki.plugin;
@@ -37,7 +37,7 @@ import org.apache.wiki.preferences.Preferences;
import org.apache.wiki.util.TextUtil;
/**
- * Provides a table of contents.
+ * Provides a table of contents.
* <p>Parameters : </p>
* <ul>
* <li><b>title</b> - The title of the table of contents.</li>
@@ -55,13 +55,13 @@ public class TableOfContents
/** Parameter name for setting the title. */
public static final String PARAM_TITLE = "title";
-
+
/** Parameter name for setting whether the headings should be numbered. */
public static final String PARAM_NUMBERED = "numbered";
-
+
/** Parameter name for setting where the numbering should start. */
public static final String PARAM_START = "start";
-
+
/** Parameter name for setting what the prefix for the heading is. */
public static final String PARAM_PREFIX = "prefix";
@@ -170,12 +170,10 @@ public class TableOfContents
sb.append("<h4 id=\"section-TOC\">");
if( title != null )
{
- //sb.append("<h4>"+TextUtil.replaceEntities(title)+"</h4>\n");
sb.append(TextUtil.replaceEntities(title));
}
else
{
-
//sb.append("<h4>"+rb.getString("tableofcontents.title")+"</h4>\n");
sb.append(rb.getString("tableofcontents.title"));
}
sb.append("</h4>\n");
@@ -211,7 +209,7 @@ public class TableOfContents
if (m_level1Index < 0) m_level1Index = 0;
m_level2Index = 0;
m_level3Index = 0;
- m_prefix = params.get(PARAM_PREFIX);
+ m_prefix = TextUtil.replaceEntities( params.get(PARAM_PREFIX) );
if (m_prefix == null) m_prefix = "";
m_lastLevel = Heading.HEADING_LARGE;
}
@@ -220,7 +218,7 @@ public class TableOfContents
{
String wikiText = engine.getPureText( page );
boolean runFilters = "true".equals(
engine.getVariableManager().getValue( context, WikiEngine.PROP_RUNFILTERS,
"true" ) );
-
+
if( runFilters ) {
try {
FilterManager fm =
engine.getFilterManager();
@@ -231,9 +229,9 @@ public class TableOfContents
throw new PluginException("Unable to
construct table of contents (see logs)");
}
}
-
+
context.setVariable( VAR_ALREADY_PROCESSING, "x" );
-
+
MarkupParser parser = engine.getRenderingManager().getParser(
context, wikiText );
parser.addHeadingListener( this );
parser.parse();
diff --git
a/jspwiki-main/src/main/java/org/apache/wiki/plugin/WeblogEntryPlugin.java
b/jspwiki-main/src/main/java/org/apache/wiki/plugin/WeblogEntryPlugin.java
index fb9dd12..2630372 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/plugin/WeblogEntryPlugin.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/plugin/WeblogEntryPlugin.java
@@ -1,4 +1,4 @@
-/*
+/*
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
@@ -14,7 +14,7 @@
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
- under the License.
+ under the License.
*/
package org.apache.wiki.plugin;
@@ -35,6 +35,7 @@ import org.apache.wiki.api.plugin.WikiPlugin;
import org.apache.wiki.pages.PageLock;
import org.apache.wiki.pages.PageManager;
import org.apache.wiki.preferences.Preferences;
+import org.apache.wiki.util.TextUtil;
/**
* Builds a simple weblog.
@@ -58,7 +59,7 @@ public class WeblogEntryPlugin implements WikiPlugin {
public static final String PARAM_ENTRYTEXT = "entrytext";
/**
* Optional parameter: page that actually contains the blog.
- * This lets us provide a "new entry" link for a blog page
+ * This lets us provide a "new entry" link for a blog page
* somewhere else than on the page itself.
*/
// "page" for uniform naming with WeblogPlugin...
@@ -108,7 +109,7 @@ public class WeblogEntryPlugin implements WikiPlugin {
StringBuilder sb = new StringBuilder();
- String entryText = params.get(PARAM_ENTRYTEXT);
+ String entryText = TextUtil.replaceEntities(
params.get(PARAM_ENTRYTEXT) );
if (entryText == null) {
entryText = rb.getString("weblogentryplugin.newentry");
}
