Re: svn commit: r744418 - in /ofbiz/trunk/framework: base/src/org/ofbiz/base/util/ service/src/org/ofbiz/service/engine/ webapp/src/org/ofbiz/webapp/control/ webapp/src/org/ofbiz/webapp/ftl/

[David E Jones]

BTW, whatever problem you were running into, I am reverting this  
change along with some other cleanups since there is one BIG problem  
with it: many URL parameters are encoded in order to make it to the  
browser and back to the server without being interpreted as part of  
the URL. Once decoded there is no distinction between these characters  
and the ones we want in the URL string (ie normal path separators,  
argument separators, etc), and since those parameters are often passed  
through this it turns into a BAD idea!

It'll be gone soon...

-David


On Feb 14, 2009, at 1:44 PM, David E Jones wrote:


Do you have a more specific example that didn't work for you, and  
what sort of message or other sign of failure you got?

I tried uploading an image on the Catalog Manager Product->Content  
tab:

https://localhost:8443/catalog/control/EditProductContent?productId=WG-1111

which successfully went to this URL and uploaded the image fine:

https://localhost:8443/catalog/control/UploadProductImage?productId=WG-1111&upload_file_type=medium

Thanks,
-David


On Feb 14, 2009, at 4:54 AM, Jacques Le Roux wrote:

This seems to break forms with enctype="multipart/form-data" (15 in  
OFBiz). Try for instance to upload an image for a product. If you  
revert this commit it works again.

Jacques

From: <jone...@apache.org>
Author: jonesde
Date: Sat Feb 14 08:17:05 2009
New Revision: 744418

URL: http://svn.apache.org/viewvc?rev=744418&view=rev
Log:
Changed LoginWorker.makeLoginUrl back to returning a String and  
implemented a more general solution for the @ofbizUrl and  
@ofbizContentUrl tags so that they do decoding and are now  
tolerant of encoded URLs just in case it happens; this should be a  
more general fix and avoid the problem more; also a few cleanups  
like resolving warnings

Modified:
 ofbiz/trunk/framework/base/src/org/ofbiz/base/util/ 
KeyStoreUtil.java
 ofbiz/trunk/framework/service/src/org/ofbiz/service/engine/ 
GenericEngineFactory.java
 ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ 
LoginWorker.java
 ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/ 
OfbizContentTransform.java
 ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/ 
OfbizUrlTransform.java

Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/ 
KeyStoreUtil.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/KeyStoreUtil.java?rev=744418&r1=744417&r2=744418&view=diff
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
====================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/ 
KeyStoreUtil.java (original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/ 
KeyStoreUtil.java Sat Feb 14 08:17:05 2009
@@ -18,25 +18,41 @@
*******************************************************************************/
package org.ofbiz.base.util;

-import org.apache.commons.codec.binary.Base64;
-import org.ofbiz.base.component.ComponentConfig;
-import org.ofbiz.base.config.GenericConfigException;
-
-import java.io.*;
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.PrintStream;
+import java.io.Reader;
+import java.io.StringReader;
import java.net.URL;
-import java.security.*;
-import java.security.cert.*;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
+import java.security.PrivateKey;
import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Collection;
import java.util.Map;
-import java.util.regex.Pattern;
-import java.util.regex.Matcher;

import javolution.util.FastMap;

-import javax.security.auth.x500.X500Principal;
+import org.apache.commons.codec.binary.Base64;
+import org.ofbiz.base.component.ComponentConfig;
+import org.ofbiz.base.config.GenericConfigException;

/**
* KeyStoreUtil - Utilities for getting KeyManagers and TrustManagers

Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ 
engine/GenericEngineFactory.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/engine/GenericEngineFactory.java?rev=744418&r1=744417&r2=744418&view=diff
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
====================================================================
--- ofbiz/trunk/framework/service/src/org/ofbiz/service/engine/ 
GenericEngineFactory.java (original)
+++ ofbiz/trunk/framework/service/src/org/ofbiz/service/engine/ 
GenericEngineFactory.java Sat Feb 14 08:17:05 2009
@@ -59,7 +59,7 @@
      Element engineElement =  
UtilXml.firstChildElement(rootElement, "engine", "name",  
engineName);

      if (engineElement == null) {
-            throw new GenericServiceException("Cannot find an  
engine definition for the engine name [" + engineName + "] in the  
serviceengine.xml file");
+            throw new GenericServiceException("Cannot find a  
service engine definition for the engine name [" + engineName + "]  
in the serviceengine.xml file");
      }

      String className = engineElement.getAttribute("class");

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ 
control/LoginWorker.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=744418&r1=744417&r2=744418&view=diff
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
====================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ 
LoginWorker.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ 
LoginWorker.java Sat Feb 14 08:17:05 2009
@@ -27,7 +27,6 @@
import java.util.regex.Matcher;
import java.util.regex.Pattern;

-import javax.security.auth.x500.X500Principal;
import javax.servlet.ServletContext;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
@@ -43,13 +42,11 @@
import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.GeneralException;
import org.ofbiz.base.util.KeyStoreUtil;
-import org.ofbiz.base.util.StringUtil;
import org.ofbiz.base.util.UtilFormatOut;
import org.ofbiz.base.util.UtilHttp;
import org.ofbiz.base.util.UtilMisc;
import org.ofbiz.base.util.UtilProperties;
import org.ofbiz.base.util.UtilValidate;
-import org.ofbiz.base.util.StringUtil.StringWrapper;
import org.ofbiz.common.login.LoginServices;
import org.ofbiz.entity.GenericDelegator;
import org.ofbiz.entity.GenericEntityException;
@@ -81,25 +78,25 @@
  /** This Map is keyed by the randomly generated externalLoginKey  
and the value is a UserLogin GenericValue object */
  public static Map<String, GenericValue> externalLoginKeys =  
FastMap.newInstance();

-    public static StringWrapper makeLoginUrl(PageContext  
pageContext) {
+    public static String makeLoginUrl(PageContext pageContext) {
      return makeLoginUrl(pageContext, "checkLogin");
  }

-    public static StringWrapper makeLoginUrl(HttpServletRequest  
request) {
+    public static String makeLoginUrl(HttpServletRequest request) {
      return makeLoginUrl(request, "checkLogin");
  }

-    public static StringWrapper makeLoginUrl(PageContext  
pageContext, String requestName) {
+    public static String makeLoginUrl(PageContext pageContext,  
String requestName) {
      return makeLoginUrl((HttpServletRequest)  
pageContext.getRequest(), requestName);
  }
-    public static StringWrapper makeLoginUrl(HttpServletRequest  
request, String requestName) {
+    public static String makeLoginUrl(HttpServletRequest request,  
String requestName) {
      Map<String, Object> urlParams =  
UtilHttp.getUrlOnlyParameterMap(request);
      String queryString = UtilHttp.urlEncodeArgs(urlParams, false);
      String currentView = UtilFormatOut.checkNull((String)  
request.getAttribute("_CURRENT_VIEW_"));

      String loginUrl = "/" + requestName;
      if ("login".equals(currentView)) {
-            return StringUtil.wrapString(loginUrl);
+            return loginUrl;
      }
      if (UtilValidate.isNotEmpty(currentView)) {
          loginUrl += "/" + currentView;
@@ -108,7 +105,8 @@
          loginUrl += "?" + queryString;
      }

-        return StringUtil.wrapString(loginUrl);
+        //return StringUtil.wrapString(loginUrl);
+        return loginUrl;
  }

  /**
@@ -360,7 +358,7 @@
                  String errMsg =  
UtilProperties.getMessage(resourceWebapp,  
"loginevents.following_error_occurred_during_login", messageMap,  
UtilHttp.getLocale(request));
                  request.setAttribute("_ERROR_MESSAGE_", errMsg);
              }
-                request.setAttribute("_ERROR_MESSAGE_LIST_",  
(List) result.get(ModelService.ERROR_MESSAGE_LIST));
+                request.setAttribute("_ERROR_MESSAGE_LIST_",  
result.get(ModelService.ERROR_MESSAGE_LIST));
              return "error";
          } else {
              password = request.getParameter("newPassword");
@@ -720,10 +718,10 @@
                  String userLoginId = null;

                  for (int i = 0; i < clientCerts.length; i++) {
-                        X500Principal x500 =  
clientCerts[i].getSubjectX500Principal();
+                        //X500Principal x500 =  
clientCerts[i].getSubjectX500Principal();
                      //Debug.log("Checking client certification  
for authentication: " + x500.getName(), module);

-                        Map x500Map =  
KeyStoreUtil.getCertX500Map(clientCerts[i]);
+                        Map<String, String> x500Map =  
KeyStoreUtil.getCertX500Map(clientCerts[i]);
                      if (i == 0) {
                          String cn = (String) x500Map.get("CN");
                          cn = cn.replaceAll("\\\\", "");
@@ -765,7 +763,7 @@
      return "success";
  }

-    protected static boolean checkValidIssuer(GenericDelegator  
delegator, Map x500Map, BigInteger serialNumber) throws  
GeneralException {
+    protected static boolean checkValidIssuer(GenericDelegator  
delegator, Map<String, String> x500Map, BigInteger serialNumber)  
throws GeneralException {
      List<EntityCondition> conds = FastList.newInstance();
      conds.add(EntityCondition.makeCondition(EntityOperator.OR,  
EntityCondition.makeConditionMap("commonName", x500Map.get("CN")),
              EntityCondition.makeConditionMap("commonName", null),

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/ 
OfbizContentTransform.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java?rev=744418&r1=744417&r2=744418&view=diff
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
====================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/ 
OfbizContentTransform.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/ 
OfbizContentTransform.java Sat Feb 14 08:17:05 2009
@@ -24,7 +24,10 @@

import javax.servlet.http.HttpServletRequest;

+import org.ofbiz.base.util.Debug;
+import org.ofbiz.base.util.StringUtil;
import org.ofbiz.webapp.taglib.ContentUrlTag;
+import org.owasp.esapi.errors.EncodingException;

import freemarker.core.Environment;
import freemarker.ext.beans.BeanModel;
@@ -36,35 +39,45 @@
*/
public class OfbizContentTransform implements  
TemplateTransformModel {

-        public Writer getWriter(final Writer out, Map args) {
-            final StringBuilder buf = new StringBuilder();
-            return new Writer(out) {
-                public void write(char cbuf[], int off, int len) {
-                    buf.append(cbuf, off, len);
-                }
-
-                public void flush() throws IOException {
-                    out.flush();
-                }
-
-                public void close() throws IOException {
-                    try {
-                        Environment env =  
Environment.getCurrentEnvironment();
-                        BeanModel req =  
(BeanModel)env.getVariable("request");
-                        HttpServletRequest request = req ==  
null ? null : (HttpServletRequest) req.getWrappedObject();
-
-                        // make the link
-                        StringBuffer newURL = new StringBuffer();
-                         
ContentUrlTag.appendContentPrefix(request, newURL);
-                        if (newURL.length() > 0 &&  
newURL.charAt(newURL.length() - 1) != '/' && buf.charAt(0) != '/') {
-                            newURL.append('/');
-                        }
-                        newURL.append(buf.toString());
-                        out.write(newURL.toString());
-                    } catch (TemplateModelException e) {
-                        throw new IOException(e.getMessage());
+    public final static String module =  
OfbizUrlTransform.class.getName();
+
+    public Writer getWriter(final Writer out, Map args) {
+        final StringBuilder buf = new StringBuilder();
+        return new Writer(out) {
+            public void write(char cbuf[], int off, int len) {
+                buf.append(cbuf, off, len);
+            }
+
+            public void flush() throws IOException {
+                out.flush();
+            }
+
+            public void close() throws IOException {
+                try {
+                    Environment env =  
Environment.getCurrentEnvironment();
+                    BeanModel req =  
(BeanModel)env.getVariable("request");
+                    HttpServletRequest request = req == null ?  
null : (HttpServletRequest) req.getWrappedObject();
+
+                    String requestUrl = buf.toString();
+                    // just in case the request is encoded,  
decode before making the link
+                    try {
+                        requestUrl =  
StringUtil.defaultWebEncoder.decodeFromURL(requestUrl);
+                    } catch (EncodingException e) {
+                        Debug.logError(e, "Error decoding URL  
string [" + requestUrl + "]: " + e.toString(), module);
+                    }
+
+                    // make the link
+                    StringBuffer newURL = new StringBuffer();
+                    ContentUrlTag.appendContentPrefix(request,  
newURL);
+                    if (newURL.length() > 0 &&  
newURL.charAt(newURL.length() - 1) != '/' && requestUrl.charAt(0) ! 
= '/') {
+                        newURL.append('/');
                  }
+                    newURL.append(requestUrl);
+                    out.write(newURL.toString());
+                } catch (TemplateModelException e) {
+                    throw new IOException(e.getMessage());
              }
-            };
-        }
+            }
+        };
  }
+}

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/ 
OfbizUrlTransform.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizUrlTransform.java?rev=744418&r1=744417&r2=744418&view=diff
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
====================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/ 
OfbizUrlTransform.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/ 
OfbizUrlTransform.java Sat Feb 14 08:17:05 2009
@@ -21,10 +21,16 @@
import java.io.IOException;
import java.io.Writer;
import java.util.Map;
+
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

+import org.ofbiz.base.util.Debug;
+import org.ofbiz.base.util.StringUtil;
+import org.ofbiz.webapp.control.RequestHandler;
+import org.owasp.esapi.errors.EncodingException;
+
import freemarker.core.Environment;
import freemarker.ext.beans.BeanModel;
import freemarker.template.SimpleScalar;
@@ -32,12 +38,12 @@
import freemarker.template.TemplateScalarModel;
import freemarker.template.TemplateTransformModel;

-import org.ofbiz.webapp.control.RequestHandler;
-
/**
* OfbizUrlTransform - Freemarker Transform for URLs (links)
*/
public class OfbizUrlTransform implements TemplateTransformModel {
+
+    public final static String module =  
OfbizUrlTransform.class.getName();

  public boolean checkArg(Map args, String key, boolean  
defaultValue) {
      if (!args.containsKey(key)) {
@@ -80,10 +86,18 @@
                      if (res != null) {
                          response = (HttpServletResponse)  
res.getWrappedObject();
                      }
-
+
+                        String requestUrl = buf.toString();
+                        // just in case the request is encoded,  
decode before making the link
+                        try {
+                            requestUrl =  
StringUtil.defaultWebEncoder.decodeFromURL(requestUrl);
+                        } catch (EncodingException e) {
+                            Debug.logError(e, "Error decoding URL  
string [" + requestUrl + "]: " + e.toString(), module);
+                        }
+
                      // make the link
                      RequestHandler rh = (RequestHandler)  
ctx.getAttribute("_REQUEST_HANDLER_");
-                        out.write(rh.makeLink(request, response,  
buf.toString(), fullPath, secure, encode));
+                        out.write(rh.makeLink(request, response,  
requestUrl, fullPath, secure, encode));
                  } else if (prefix != null) {
                      if (prefix instanceof TemplateScalarModel) {
                          TemplateScalarModel s =  
(TemplateScalarModel) prefix;