This is an automated email from the ASF dual-hosted git repository.
mbien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/roller.git
commit 253c309fa8fedf86230b71a5c6a89d41f65330c8
Author: Michael Bien <mbie...@gmail.com>
AuthorDate: Tue May 18 03:04:56 2021 +0200
WeblogRequest and WeblogFeedRequest input validation.
---
.../roller/weblogger/ui/rendering/util/WeblogFeedRequest.java | 7 +++++--
.../roller/weblogger/ui/rendering/util/WeblogRequest.java | 10 +++++-----
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git
a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogFeedRequest.java
b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogFeedRequest.java
index 7b788a7..5a10855 100644
---
a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogFeedRequest.java
+++
b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogFeedRequest.java
@@ -22,6 +22,7 @@ import java.util.List;
import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.roller.weblogger.WebloggerException;
@@ -43,7 +44,7 @@ import org.apache.roller.weblogger.util.Utilities;
*/
public class WeblogFeedRequest extends WeblogRequest {
- private static Log log = LogFactory.getLog(WeblogFeedRequest.class);
+ private static final Log log = LogFactory.getLog(WeblogFeedRequest.class);
private static final String FEED_SERVLET = "/roller-ui/rendering/feed";
@@ -97,7 +98,9 @@ public class WeblogFeedRequest extends WeblogRequest {
if(pathInfo != null && pathInfo.trim().length() > 1) {
String[] pathElements = pathInfo.split("/");
- if(pathElements.length == 2) {
+ if(pathElements.length == 2
+ && StringUtils.isAlphanumeric(pathElements[0])
+ && StringUtils.isAlphanumeric(pathElements[1])) {
this.type = pathElements[0];
this.format = pathElements[1];
} else {
diff --git
a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogRequest.java
b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogRequest.java
index 2e8468c..37fa6d8 100644
---
a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogRequest.java
+++
b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/util/WeblogRequest.java
@@ -20,6 +20,7 @@ package org.apache.roller.weblogger.ui.rendering.util;
import java.util.Locale;
import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.roller.weblogger.WebloggerException;
@@ -48,7 +49,7 @@ import org.apache.roller.weblogger.pojos.Weblog;
*/
public class WeblogRequest extends ParsedRequest {
- private static Log log = LogFactory.getLog(WeblogRequest.class);
+ private static final Log log = LogFactory.getLog(WeblogRequest.class);
// lightweight attributes
private String weblogHandle = null;
@@ -85,12 +86,11 @@ public class WeblogRequest extends ParsedRequest {
}
String[] pathElements = path.split("/", 2);
- if(!pathElements[0].isBlank()) {
+ if(StringUtils.isAlphanumeric(pathElements[0])) {
this.weblogHandle = pathElements[0];
} else {
- // no weblogHandle in path info
- throw new InvalidRequestException("not a weblog request, "+
- request.getRequestURL());
+ // no or invalid weblogHandle in path info
+ throw new InvalidRequestException("not a valid weblog request:
"+request.getRequestURL());
}
// if there is more left of the path info then hold onto it
