This is an automated email from the ASF dual-hosted git repository. brushed pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 98f3ee1851982b084deda65b49d592472b65d263 Author: brushed <[email protected]> AuthorDate: Wed Jan 12 08:09:52 2022 +0100 2.11.2-git-02 Protect the meta 'wikiUserName' tag against XSS vuln. --- ChangeLog.md | 87 ++++++++++++---------- .../src/main/java/org/apache/wiki/api/Release.java | 2 +- .../main/webapp/templates/default/commonheader.jsp | 2 +- 3 files changed, 50 insertions(+), 41 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 013f48e..3bc8910 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -17,6 +17,14 @@ specific language governing permissions and limitations under the License. --> +**2022-01-12 Dirk Frederickx (brushed AT apache DOT org)** + +* _2.11.2-git-02_ + +* Protect the meta 'wikiUserName' tag against potential XSS attack. + (reported by Paulos Yibelo) + + **2021-12-31 Juan Pablo Santos (juanpablo AT apache DOT org)** * _2.11.2-git-01_ @@ -26,7 +34,7 @@ under the License. * Added [AttributesExtension](https://github.com/vsch/flexmark-java/wiki/Extensions#attributes) to `jspwiki-markdown` in order to add support for [Markdown Extra attributes](https://michelf.ca/projects/php-markdown/extra/#spe-attr). * [JSPWIKI-1169](https://issues.apache.org/jira/projects/JSPWIKI/issues/JSPWIKI-1169) - Add Bill of materials module to build. - + * `DefaultReferenceManager` now only synchronizes when (un)serializing data, since the underlying maps used are already handling concurrency. * Some small refactors on htmltowiki decorators. Most notably, `<a>` syntax decorator only performs tasks related to syntax decoration. @@ -38,13 +46,14 @@ under the License. * Selenide to 6.1.2 * Tika to 2.2.1 + **2021-12-13 Juan Pablo Santos (juanpablo AT apache DOT org)** * _2.11.1-git-02_ * Decoupled `XHtmlElementToWikiTranslator` from jspwiki syntax, so it will be able in a near future to output other wiki syntaxes. * `XHtmlElementToWikiTranslator` acts as a chain in a chain of responsability pattern, delegating to a `SyntaxDecorator` the output of specific wiki syntaxes. - * Refactored classes may still change a little. + * Refactored classes may still change a little. * Dependency updates * Mockito to 4.1.0, thanks to dependabot [#152](https://github.com/apache/jspwiki/pull/152) @@ -139,7 +148,7 @@ under the License. * First stab at `XHtmlElementToWikiTranslator` refactor, so it'll be easier in the future to make it output other types of wiki syntaxes * Dependency updates, provided by dependabot - * Jetty-all to 9.4.44.v20210927 [#139](https://github.com/apache/jspwiki/pull/139) + * Jetty-all to 9.4.44.v20210927 [#139](https://github.com/apache/jspwiki/pull/139) * Lucene to 8.10.0 [#143](https://github.com/apache/jspwiki/pull/143) * Mockito to 4.0.0 [#144](https://github.com/apache/jspwiki/pull/144) * Selenide to 5.25.0 [#138](https://github.com/apache/jspwiki/pull/138) @@ -180,7 +189,7 @@ under the License. * _2.11.0-git-08_ * [JSPWIKI-1143](https://issues.apache.org/jira/browse/JSPWIKI-1143) - Allow SpamFilter to exclude certain users/groups from checks - * `jspwiki.filters.spamfilter.allowedgroups` property can be used to set a comma separated list of groups that will bypass the filter + * `jspwiki.filters.spamfilter.allowedgroups` property can be used to set a comma separated list of groups that will bypass the filter * Denounce plugin checks for valid URLs @@ -208,8 +217,8 @@ under the License. * 3.- JSPWiki custom property files * 4.- JSPWiki cascading properties * 5.- System properties - * With the later ones taking precedence over the previous ones. To avoid leaking system information, only System - environment and properties beginning with `jspwiki` (case unsensitive) are taken into account. + * With the later ones taking precedence over the previous ones. To avoid leaking system information, only System + environment and properties beginning with `jspwiki` (case unsensitive) are taken into account. * Also, to ease docker integration, System env properties containing "_" are turned into ".". F.ex., `ENV jspwiki_fileSystemProvider_pageDir` would be loaded as `jspwiki.fileSystemProvider.pageDir`. @@ -225,7 +234,7 @@ under the License. * _2.11.0-git-06_ * [JSPWIKI-795](https://issues.apache.org/jira/browse/JSPWIKI-795) - Update Logging subsystem to Log4J2 - * Log4J2 is the new logging framework used by JSPWiki. Although all Log4J calls are transparently routed to Log4J2, + * Log4J2 is the new logging framework used by JSPWiki. Although all Log4J calls are transparently routed to Log4J2, the configuration inside jspwiki.properties has changed, so installations with customized logging configuration will need to be set up again. * Existing 3rd party plugins, filters and providers will continue to work as expected, as Log4J calls will be routed @@ -271,7 +280,7 @@ under the License. * [JSPWIKI-1144](https://issues.apache.org/jira/browse/JSPWIKI-1144) - Minor performance improvement * Merged [PR #36](https://github.com/apache/jspwiki/pull/36), contributed by [Arturo Bernal](https://github.com/arturobernalg), thanks! -* [JSPWIKI-1147](https://issues.apache.org/jira/browse/JSPWIKI-1147) - The button "Clear user preferences" +* [JSPWIKI-1147](https://issues.apache.org/jira/browse/JSPWIKI-1147) - The button "Clear user preferences" doesn't clear user preferences **2021-01-11 Juan Pablo Santos (juanpablo AT apache DOT org)** @@ -282,7 +291,7 @@ doesn't clear user preferences * Merged [PR #32](https://github.com/apache/jspwiki/pull/32), contributed by [Arturo Bernal](https://github.com/arturobernalg), thanks! * `PropertyReader` logs stacktrace if unable to load the `jspwiki.properties` file - + * `WikiEngine` unregisters all event delegates from `WikiEventManager` on shutdown. Under some circumstances, unit tests using a `TestEngine` could end up processing events using managers registered by previous `TestEngine`s. @@ -295,11 +304,11 @@ using a `TestEngine` could end up processing events using managers registered by * _2.11.0-git-02_ -* Dependency updates provided by dependabot (PRs [#18](https://github.com/apache/jspwiki/pull/18), - [#19](https://github.com/apache/jspwiki/pull/19), [#20](https://github.com/apache/jspwiki/pull/20), +* Dependency updates provided by dependabot (PRs [#18](https://github.com/apache/jspwiki/pull/18), + [#19](https://github.com/apache/jspwiki/pull/19), [#20](https://github.com/apache/jspwiki/pull/20), [#21](https://github.com/apache/jspwiki/pull/21), [#22](https://github.com/apache/jspwiki/pull/22), [#23](https://github.com/apache/jspwiki/pull/23), [#24](https://github.com/apache/jspwiki/pull/24), - [#25](https://github.com/apache/jspwiki/pull/25), [#26](https://github.com/apache/jspwiki/pull/26), + [#25](https://github.com/apache/jspwiki/pull/25), [#26](https://github.com/apache/jspwiki/pull/26), [#27](https://github.com/apache/jspwiki/pull/27), [#28](https://github.com/apache/jspwiki/pull/28), [#29](https://github.com/apache/jspwiki/pull/29) and [#30](https://github.com/apache/jspwiki/pull/30)), most notably * jsp-api to 2.3.3 @@ -367,7 +376,7 @@ using a `TestEngine` could end up processing events using managers registered by is all that is needed to generate the binaries. As this takes some more time, is only needed when upgrading tomcat and needs to download artifacts not present on Maven's central repo, it is not enabled by default. -* Jenkinsfile uses JDK 11 to perform the build, as this is now the minimum [required by SonarQube](https://sonarcloud.io/documentation/appendices/end-of-support/). +* Jenkinsfile uses JDK 11 to perform the build, as this is now the minimum [required by SonarQube](https://sonarcloud.io/documentation/appendices/end-of-support/). The build itself still requires at least JDK 1.8. * Dependency updates @@ -445,7 +454,7 @@ using a `TestEngine` could end up processing events using managers registered by * Log configuration * Begin to prepare [JSPWIKI-795](https://issues.apache.org/jira/projects/JSPWIKI/issues/JSPWIKI-795) - Update logging subsystem in JSPWiki - * Log4J will now be configured only if present in classpath. Right now this means always, but once + * Log4J will now be configured only if present in classpath. Right now this means always, but once the logging subsystem is updated and in order to allow backwards compatibility with existing custom extensions, it will have to be explicitly added. @@ -461,31 +470,31 @@ using a `TestEngine` could end up processing events using managers registered by * [JSPWIKI-303](https://issues.apache.org/jira/browse/JSPWIKI-303): [JSPWiki API](https://jspwiki-wiki.apache.org/Wiki.jsp?page=JSPWikiPublicAPI) library creation * SPI to retrieve / create objects from the `o.a.w.api.core` package - * it is possible to provide custom implementations of objects from the `o.a.w.api.core` package - * for a custom `Engine`, an implementation of `o.a.w.api.spi.EngineSPI`, and set the - `jspwiki.provider.impl.engine` property on the `jspwiki-[custom].properties` file with the - fully qualified name of the implementation - * for a custom `Context`, an implementation of `o.a.w.api.spi.ContextSPI`, and set the - `jspwiki.provider.impl.context` property on the `jspwiki-[custom].properties` file with the - fully qualified name of the implementation - * for a custom `Session`, an implementation of `o.a.w.api.spi.SessionSPI`, and set the - `jspwiki.provider.impl.session` property on the `jspwiki-[custom].properties` file with the - fully qualified name of the implementation - * for custom `Page` or `Attachment`, an implementation of `o.a.w.api.spi.ContentsSPI`, and set the - `jspwiki.provider.impl.contents` property on the `jspwiki-[custom].properties` file with the - fully qualified name of the implementation - * for custom `Acl` or `AclEntry`, an implementation of `o.a.w.api.spi.AclsSPI`, and set the - `jspwiki.provider.impl.acls` property on the `jspwiki-[custom].properties` file with the + * it is possible to provide custom implementations of objects from the `o.a.w.api.core` package + * for a custom `Engine`, an implementation of `o.a.w.api.spi.EngineSPI`, and set the + `jspwiki.provider.impl.engine` property on the `jspwiki-[custom].properties` file with the + fully qualified name of the implementation + * for a custom `Context`, an implementation of `o.a.w.api.spi.ContextSPI`, and set the + `jspwiki.provider.impl.context` property on the `jspwiki-[custom].properties` file with the + fully qualified name of the implementation + * for a custom `Session`, an implementation of `o.a.w.api.spi.SessionSPI`, and set the + `jspwiki.provider.impl.session` property on the `jspwiki-[custom].properties` file with the + fully qualified name of the implementation + * for custom `Page` or `Attachment`, an implementation of `o.a.w.api.spi.ContentsSPI`, and set the + `jspwiki.provider.impl.contents` property on the `jspwiki-[custom].properties` file with the + fully qualified name of the implementation + * for custom `Acl` or `AclEntry`, an implementation of `o.a.w.api.spi.AclsSPI`, and set the + `jspwiki.provider.impl.acls` property on the `jspwiki-[custom].properties` file with the fully qualified name of the implementation * [JSPWIKI-806](https://issues.apache.org/jira/browse/JSPWIKI-806) (EntityManager Proposal): add the possibility of loading custom managers on `WikiEngine` - * `WikiEngine` will look on classpath for an `ini/classmappings-extra.xml` file, with the same structure as + * `WikiEngine` will look on classpath for an `ini/classmappings-extra.xml` file, with the same structure as `ini/classmappings.xml` * if found, will register each `requestedClass` with its correspondent `mappedClass` * these custom manager must have a no-arg constructor * if there's a need to perform some initialization tasks querying the `Engine`, the custom manager should implement `o.a.w.api.engine.Initializable` and perform those tasks there - + * `SisterSites.jsp` now honours page ACLs **2020-03-25 Juan Pablo Santos (juanpablo AT apache DOT org)** @@ -495,8 +504,8 @@ using a `TestEngine` could end up processing events using managers registered by * [JSPWIKI-303](https://issues.apache.org/jira/browse/JSPWIKI-303): JSPWiki-API library creation * `Page` deals with ACLs -* Refactor `WikiEngine` initialization, in order to prepare for building and configuring custom -managers (somewhat related to [JSPWIKI-806](https://issues.apache.org/jira/browse/JSPWIKI-806) - EntityManager Proposal) +* Refactor `WikiEngine` initialization, in order to prepare for building and configuring custom +managers (somewhat related to [JSPWIKI-806](https://issues.apache.org/jira/browse/JSPWIKI-806) - EntityManager Proposal) * Dependency updates * Lucene to 8.5.0 @@ -508,15 +517,15 @@ managers (somewhat related to [JSPWIKI-806](https://issues.apache.org/jira/brows * [JSPWIKI-303](https://issues.apache.org/jira/browse/JSPWIKI-303): JSPWiki-API library creation * added compatibility to page / attachment providers not using the public API - * `jspwiki.pageProvider` should be set to `WikiPageAdapterProvider` and then `jspwiki.pageProvider.adapter.impl` + * `jspwiki.pageProvider` should be set to `WikiPageAdapterProvider` and then `jspwiki.pageProvider.adapter.impl` to the actual page provider - * `jspwiki.attachmentProvider` should be set to `WikiAttachmentAdapterProvider` and then `jspwiki.attachmentProvider.adapter.impl` + * `jspwiki.attachmentProvider` should be set to `WikiAttachmentAdapterProvider` and then `jspwiki.attachmentProvider.adapter.impl` to the actual attachment provider * see `WikiProviderAdaptersTest` on the jspwiki-210-adapters module for an example * `Page` does not deal with ACLs yet * SPI to create objects from the `o.a.w.api.core` package still needs to be done -* Added more helper methods to `TestEngine` to ease building customized instances (again, see `WikiProviderAdaptersTest` on the +* Added more helper methods to `TestEngine` to ease building customized instances (again, see `WikiProviderAdaptersTest` on the jspwiki-210-adapters module for an example) * Dependency updates @@ -530,10 +539,10 @@ jspwiki-210-adapters module for an example) * [JSPWIKI-303](https://issues.apache.org/jira/browse/JSPWIKI-303): JSPWiki-API library creation * Extracted `jspwiki-event` and `jspwiki-api` maven modules from `jspwiki-main` - * Created `jspwiki-210-adapters` and `jspwiki-210-test-adaptees` maven modules to ensure backwards + * Created `jspwiki-210-adapters` and `jspwiki-210-test-adaptees` maven modules to ensure backwards compatibility with custom plugin / filters / page providers not using public API * JSPWiki Plugins, Filters and Page Providers are using the public API - * Use of `o.a.w.api.core.Command` instead of `o.a.w.ui.Command` and of `o.a.w.api.search.QueryItem` and + * Use of `o.a.w.api.core.Command` instead of `o.a.w.ui.Command` and of `o.a.w.api.search.QueryItem` and `o.a.w.api.search.SearchResult` instead of their counterparts from the `o.a.w.search` package * Start to introduce `Page`, `Attachment` and `Context` instead of `WikiPage`, `WikiAttachment` and `WikiContext` * JSPWiki API still needs some polishing @@ -552,7 +561,7 @@ jspwiki-210-adapters module for an example) * Internal classes' refactors in order to break some class / packages cycles. -* Updated Tomcat to 9.0.31 in order to get JDK 8 level to compile and run JSPs when using the Cargo +* Updated Tomcat to 9.0.31 in order to get JDK 8 level to compile and run JSPs when using the Cargo plugin. Baseline is still servlet 3.1 (i.e.: Tomcat 8.x), though. **2002-03-04 Dirk Frederickx (brushed AT apache DOT org)** diff --git a/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java b/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java index 20e4668..173ce45 100644 --- a/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java +++ b/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java @@ -69,7 +69,7 @@ public final class Release { * <p> * If the build identifier is empty, it is not added. */ - public static final String BUILD = "01"; + public static final String BUILD = "02"; /** * This is the generic version string you should use when printing out the version. It is of diff --git a/jspwiki-war/src/main/webapp/templates/default/commonheader.jsp b/jspwiki-war/src/main/webapp/templates/default/commonheader.jsp index 3432f10..8aceb22 100644 --- a/jspwiki-war/src/main/webapp/templates/default/commonheader.jsp +++ b/jspwiki-war/src/main/webapp/templates/default/commonheader.jsp @@ -97,7 +97,7 @@ String.I18N.PREFIX = "javascript."; <meta name="wikiCloneUrl" content='<wiki:EditLink format="url" page="#$%"/>&clone=<wiki:Variable var="pagename" />' /> <meta name="wikiJsonUrl" content='<%= Context.findContext(pageContext).getURL( ContextEnum.PAGE_NONE.getRequestContext(), "ajax" ) %>' /><%--unusual pagename--%> <meta name="wikiPageName" content='<wiki:Variable var="pagename" />' /><%--pagename without blanks--%> -<meta name="wikiUserName" content='<wiki:UserName />' /> +<meta name="wikiUserName" content="<wiki:UserName />" /> <meta name="wikiTemplateUrl" content='<wiki:Link format="url" templatefile="" />' /> <meta name="wikiApplicationName" content='<wiki:Variable var="ApplicationName" />' /> <%--CHECKME
