[sling-org-apache-sling-xss] branch master updated: SLING-7777 - XSSFilter is rejecting URLs containing only queries or fragments

radu Thu, 02 Aug 2018 08:21:25 -0700

This is an automated email from the ASF dual-hosted git repository.

radu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git



The following commit(s) were added to refs/heads/master by this push:
     new 4a90915  SLING-7777 - XSSFilter is rejecting URLs containing only 
queries or fragments
4a90915 is described below

commit 4a909157fc29aa3e1990f09135b549476e0692c1
Author: Radu Cotescu <[email protected]>
AuthorDate: Thu Aug 2 17:20:58 2018 +0200

    SLING-7777 - XSSFilter is rejecting URLs containing only queries or 
fragments
    
    * applied patch submitted by Lars Krapf
---
 src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java     | 5 ++---
 src/main/resources/SLING-INF/content/config.xml                | 4 ++--
 src/test/java/org/apache/sling/xss/impl/XSSFilterImplTest.java | 5 ++++-
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java 
b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
index 42ba499..f15fc23 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
@@ -119,14 +119,13 @@ public class XSSFilterImpl implements XSSFilter {
     public static final String PATH_EMPTY = "(?:^$)";
     public static final String RELATIVE_PART = "(?:(?://" + AUTHORITY + 
PATH_ABEMPTY +  ")|" +
             "(?:" + PATH_ABSOLUTE + ")|" +
-            "(?:" + PATH_ROOTLESS + ")|" +
-            PATH_EMPTY + ")";
+            "(?:" + PATH_ROOTLESS + "))";
     public static final String HIER_PART = "(?:(?://" + AUTHORITY + 
PATH_ABEMPTY + ")|" +
             "(?:" + PATH_ABSOLUTE + ")|" +
             "(?:" + PATH_NOSCHEME + ")|" +
             PATH_EMPTY + ")";
 
-    public static final String RELATIVE_REF = 
"(?!\\s*javascript(?::|&colon;))" + RELATIVE_PART + "(?:\\?" + QUERY + ")?(?:#" 
+ FRAGMENT + ")?";
+    public static final String RELATIVE_REF = 
"(?!\\s*javascript(?::|&colon;))" + RELATIVE_PART + "?(?:\\?" + QUERY + 
")?(?:#" + FRAGMENT + ")?";
     public static final String URI = SCHEME_PATTERN + ":" + HIER_PART + 
"(?:\\?" + QUERY + ")?(?:#" + FRAGMENT + ")?";
 
 
diff --git a/src/main/resources/SLING-INF/content/config.xml 
b/src/main/resources/SLING-INF/content/config.xml
index 665dcf7..dccd890 100644
--- a/src/main/resources/SLING-INF/content/config.xml
+++ b/src/main/resources/SLING-INF/content/config.xml
@@ -71,7 +71,7 @@ http://www.w3.org/TR/html401/struct/global.html
         <!-- Allow empty URL attributes with a '*'-quantifier instead of '+' 
for the first part of the regexp -->
         <!-- Check org.apache.sling.xss.impl.XSSFilterImpl#RELATIVE_REF to 
understand the regexp -->
         <regexp name="onsiteURL"
-                
value="(?!\s*javascript(?::|&amp;colon;))(?:(?://(?:(?:(?:(?:\p{L}\p{M}*)|[\p{N}-._~])|(?:%\p{XDigit}\p{XDigit})|(?:[!$&amp;&apos;()*+,;=]))*@)?(?:\[(?:(?:(?:\p{XDigit}{1,4}:){6}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\
 [...]
+            
value="(?!\s*javascript(?::|&amp;colon;))(?:(?://(?:(?:(?:(?:\p{L}\p{M}*)|[\p{N}-._~])|(?:%\p{XDigit}\p{XDigit})|(?:[!$&amp;&apos;()*+,;=]))*@)?(?:\[(?:(?:(?:\p{XDigit}{1,4}:){6}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}
 [...]
         <!-- Check org.apache.sling.xss.impl.XSSFilterImpl#URI to understand 
the regexp -->
         <regexp name="offsiteURL"
                 
value="(?!\s*javascript)\p{L}[\p{L}\p{N}+.\-]*:(?:(?://(?:(?:(?:(?:\p{L}\p{M}*)|[\p{N}-._~])|(?:%\p{XDigit}\p{XDigit})|(?:[!$&amp;&apos;()*+,;=]))*@)?(?:\[(?:(?:(?:\p{XDigit}{1,4}:){6}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-
 [...]
@@ -111,7 +111,7 @@ http://www.w3.org/TR/html401/struct/global.html
         <regexp name="cssAttributeExclusion" value=""/>
 
         <!--  This is for resources referenced from CSS (such as background 
images and other imported stylesheets) -->
-        <regexp name="cssOnsiteUri" 
value="url\((?!\s*javascript(?::|&amp;colon;))(?:(?://(?:(?:(?:(?:\p{L}\p{M}*)|[\p{N}-._~])|(?:%\p{XDigit}\p{XDigit})|(?:[!$&amp;&apos;()*+,;=]))*@)?(?:\[(?:(?:(?:\p{XDigit}{1,4}:){6}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N
 [...]
+        <regexp name="cssOnsiteUri" 
value="url\((?!\s*javascript(?::|&amp;colon;))(?:(?://(?:(?:(?:(?:\p{L}\p{M}*)|[\p{N}-._~])|(?:%\p{XDigit}\p{XDigit})|(?:[!$&amp;&apos;()*+,;=]))*@)?(?:\[(?:(?:(?:\p{XDigit}{1,4}:){6}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N
 [...]
         <regexp name="cssOffsiteUri" 
value="url\((?!\s*javascript)\p{L}[\p{L}\p{N}+.\-]*:(?:(?://(?:(?:(?:(?:\p{L}\p{M}*)|[\p{N}-._~])|(?:%\p{XDigit}\p{XDigit})|(?:[!$&amp;&apos;()*+,;=]))*@)?(?:\[(?:(?:(?:\p{XDigit}{1,4}:){6}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x
 [...]
 
         <!--  This if for CSS Identifiers -->
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSFilterImplTest.java 
b/src/test/java/org/apache/sling/xss/impl/XSSFilterImplTest.java
index a588b38..fe7355a 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSFilterImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSFilterImplTest.java
@@ -56,7 +56,10 @@ public class XSSFilterImplTest {
         
checkIsValid("&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;alert(1)",
 false);
         checkIsValid("%-12", false);
         checkIsValid("/promotion/25%/", false);
-
+        checkIsValid("#", true);
+        checkIsValid("?foo=bar", true);
+        checkIsValid("#javascript:alert(23)", true);
+        checkIsValid("#\">", false);
     }
 
     private void checkIsValid(String input, boolean valid) {

[sling-org-apache-sling-xss] branch master updated: SLING-7777 - XSSFilter is rejecting URLs containing only queries or fragments

Reply via email to