sylvain 2003/09/02 02:13:51
Modified:
src/blocks/jxforms/java/org/apache/cocoon/components/jxforms/xmlform
Form.java
src/blocks/xmlform/java/org/apache/cocoon/components/xmlform
Form.java
Log:
Block method call injection
Revision Changes Path
1.4 +6 -1
cocoon-2.1/src/blocks/jxforms/java/org/apache/cocoon/components/jxforms/xmlform/Form.java
Index: Form.java
===================================================================
RCS file:
/home/cvs/cocoon-2.1/src/blocks/jxforms/java/org/apache/cocoon/components/jxforms/xmlform/Form.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- Form.java 19 Jul 2003 20:18:49 -0000 1.3
+++ Form.java 2 Sep 2003 09:13:51 -0000 1.4
@@ -587,6 +587,11 @@
* @return boolean
*/
protected boolean filterDefaultRequestParameter(String paramName) {
+ // Forbid parameters containing parenthesis to avoid method-call
injection
+ if (paramName.indexOf('(') != -1) {
+ return true;
+ }
+
if (paramName.startsWith(Constants.ACTION_PARAM_PREFIX) ||
paramName.startsWith(Constants.VIEW_PARAM)) {
return true;
1.6 +6 -1
cocoon-2.1/src/blocks/xmlform/java/org/apache/cocoon/components/xmlform/Form.java
Index: Form.java
===================================================================
RCS file:
/home/cvs/cocoon-2.1/src/blocks/xmlform/java/org/apache/cocoon/components/xmlform/Form.java,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- Form.java 3 Jul 2003 09:26:02 -0000 1.5
+++ Form.java 2 Sep 2003 09:13:51 -0000 1.6
@@ -585,6 +585,11 @@
*
*/
protected boolean filterDefaultRequestParameter(String paramName) {
+ // Forbid parameters containing parenthesis to avoid method-call
injection
+ if (paramName.indexOf('(') != -1) {
+ return true;
+ }
+
if (paramName.startsWith(Constants.ACTION_PARAM_PREFIX) ||
paramName.startsWith(Constants.VIEW_PARAM)) {
return true;
