Author: taylor Date: Tue Jan 26 05:57:48 2016 New Revision: 1726733 URL: http://svn.apache.org/viewvc?rev=1726733&view=rev Log: further tightening security around new user manager service for sql injections
Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/container/url/impl/AbstractPortalURL.java portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/container/url/impl/AbstractPortalURL.java URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/container/url/impl/AbstractPortalURL.java?rev=1726733&r1=1726732&r2=1726733&view=diff ============================================================================== --- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/container/url/impl/AbstractPortalURL.java (original) +++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/container/url/impl/AbstractPortalURL.java Tue Jan 26 05:57:48 2016 @@ -234,7 +234,9 @@ public abstract class AbstractPortalURL protected void setPath(String path) { - this.path = path.replaceAll("['\"]", ""); // remove any escaped scripts from URL (seems to only effect Firefox browser) + if (path != null) { + this.path = path.replaceAll("['\"]", ""); // remove any escaped scripts from URL (seems to only effect Firefox browser) + } } public String getBaseURL() Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java?rev=1726733&r1=1726732&r2=1726733&view=diff ============================================================================== --- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java (original) +++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/AbstractRestService.java Tue Jan 26 05:57:48 2016 @@ -23,8 +23,6 @@ import org.apache.jetspeed.services.bean import javax.servlet.http.HttpServletRequest; import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Response; -import java.util.ArrayList; -import java.util.List; /** * Created by dtaylor on 5/2/15. @@ -49,22 +47,4 @@ public class AbstractRestService { } } - protected String stripSQLInjection(String in) { - if (in == null) { - return null; - } - return in.replaceAll("['\"]", ""); - } - - protected List<String> stripSQLInjection(List<String> in) { - if (in == null) { - return null; - } - ArrayList<String> out = new ArrayList<>(); - for (String s : in) { - out.add(stripSQLInjection(s)); - } - return out; - } - } Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java?rev=1726733&r1=1726732&r2=1726733&view=diff ============================================================================== --- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java (original) +++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/UserManagerService.java Tue Jan 26 05:57:48 2016 @@ -118,13 +118,6 @@ public class UserManagerService extends { checkPrivilege(servletRequest, JetspeedActions.VIEW); - userName = stripSQLInjection(userName); - sortDirection = stripSQLInjection(sortDirection); - roles = stripSQLInjection(roles); - groups = stripSQLInjection(groups); - attributeKeys = stripSQLInjection(attributeKeys); - attributeValues = stripSQLInjection(attributeValues); - Map<String, String> attributeMap = null; if (attributeKeys != null && attributeKeys.size() > 0 && attributeKeys.size() == attributeValues.size()) --------------------------------------------------------------------- To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org