[HippoCMS-scm] [Git][cms-community/hippo-repository][release/5.1] REPO-1925 [Back port to 12.1] SecurityManager doesn't sanitize userId in case of…

Tue, 16 Jan 2018 03:30:01 -0800 

Jeroen Hoffman pushed to branch release/5.1 at cms-community / hippo-repository


Commits:
b3560a0b by Jeroen Hoffman at 2018-01-16T12:29:20+01:00
REPO-1925 [Back port to 12.1] SecurityManager doesn't sanitize userId in 
case of external providers to get memberships
- sanitize user id

- - - - -


1 changed file:

- engine/src/main/java/org/hippoecm/repository/security/SecurityManager.java


Changes:

=====================================
engine/src/main/java/org/hippoecm/repository/security/SecurityManager.java
=====================================
--- a/engine/src/main/java/org/hippoecm/repository/security/SecurityManager.java
+++ b/engine/src/main/java/org/hippoecm/repository/security/SecurityManager.java
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2008-2013 Hippo B.V. (http://www.onehippo.com)
+ *  Copyright 2008-2018 Hippo B.V. (http://www.onehippo.com)
  * 
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -362,10 +362,11 @@ public class SecurityManager implements 
HippoSecurityManager {
      */
     private Set<String> getMemberships(String rawUserId, String providerId) {
         try {
+            final String sanitizedUserId = sanitizeUserId(rawUserId, 
providerId);
             if (providers.containsKey(providerId)) {
-                return 
providers.get(providerId).getGroupManager().getMembershipIds(rawUserId);
+                return 
providers.get(providerId).getGroupManager().getMembershipIds(sanitizedUserId);
             } else {
-                return 
providers.get(INTERNAL_PROVIDER).getGroupManager().getMembershipIds(sanitizeUserId(rawUserId,
 providerId));
+                return 
providers.get(INTERNAL_PROVIDER).getGroupManager().getMembershipIds(sanitizedUserId);
             }
         } catch (RepositoryException e) {
             log.warn("Unable to get memberships for userId: " + rawUserId, e);



View it on GitLab: 
https://code.onehippo.org/cms-community/hippo-repository/commit/b3560a0be1f02acb21cca463055f62e2dfeaa751

---
View it on GitLab: 
https://code.onehippo.org/cms-community/hippo-repository/commit/b3560a0be1f02acb21cca463055f62e2dfeaa751
You're receiving this email because of your account on code.onehippo.org.

_______________________________________________
Hippocms-svn mailing list
Hippocms-svn@lists.onehippo.org
https://lists.onehippo.org/mailman/listinfo/hippocms-svn

Reply via email to