kstaken 02/03/11 14:32:36
Modified: java/examples/Addressbook/src/java/addressbook
AddContact.java DBConnection.java
DeleteContact.java EditContact.java
ListContacts.java SearchContacts.java Task.java
java/src/org/apache/xindice/server/services HTTPServer.java
Log:
Adding two patches. One for a parent directory traversal in HTTP and one to
eliminate IllegalStateExceptions in the Addressbook example.
Submitted by: Mike Gratton
Reviewed by: Kimbro Staken
Revision Changes Path
1.2 +7 -2
xml-xindice/java/examples/Addressbook/src/java/addressbook/AddContact.java
Index: AddContact.java
===================================================================
RCS file:
/home/cvs/xml-xindice/java/examples/Addressbook/src/java/addressbook/AddContact.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- AddContact.java 6 Dec 2001 19:33:52 -0000 1.1
+++ AddContact.java 11 Mar 2002 22:32:35 -0000 1.2
@@ -56,7 +56,7 @@
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
- * $Id: AddContact.java,v 1.1 2001/12/06 19:33:52 bradford Exp $
+ * $Id: AddContact.java,v 1.2 2002/03/11 22:32:35 kstaken Exp $
*/
import java.io.*;
@@ -103,6 +103,12 @@
col.storeResource(resource);
} catch ( Exception e) {
+ e.printStackTrace();
+
+ // there's not much else we can do if the response is committed
+ if (response.isCommitted())
+ return true;
+
// Catch the exception and send the user to the error page
if (e.getMessage() != null ) {
response.sendRedirect("/Addressbook/error.jsp?error=" +
URLEncoder.encode(e.getMessage()) );
@@ -110,7 +116,6 @@
else {
response.sendRedirect("/Addressbook/error.jsp" );
}
- e.printStackTrace();
}
return true;
1.3 +7 -3
xml-xindice/java/examples/Addressbook/src/java/addressbook/DBConnection.java
Index: DBConnection.java
===================================================================
RCS file:
/home/cvs/xml-xindice/java/examples/Addressbook/src/java/addressbook/DBConnection.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- DBConnection.java 29 Jan 2002 08:15:20 -0000 1.2
+++ DBConnection.java 11 Mar 2002 22:32:35 -0000 1.3
@@ -56,7 +56,7 @@
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
- * $Id: DBConnection.java,v 1.2 2002/01/29 08:15:20 kstaken Exp $
+ * $Id: DBConnection.java,v 1.3 2002/03/11 22:32:35 kstaken Exp $
*/
import org.xmldb.api.base.*;
@@ -96,7 +96,12 @@
}
} catch ( Exception e) {
-
+ e.printStackTrace();
+
+ // there's not much else we can do if the response is committed
+ if (response.isCommitted())
+ return collection;
+
// Catch the exception and send the user to the error page
if (e.getMessage() != null ) {
response.sendRedirect("/Addressbook/error.jsp?error=" +
URLEncoder.encode(e.getMessage()) );
@@ -104,7 +109,6 @@
else {
response.sendRedirect("/Addressbook/error.jsp" );
}
- e.printStackTrace();
}
return collection;
1.2 +7 -2
xml-xindice/java/examples/Addressbook/src/java/addressbook/DeleteContact.java
Index: DeleteContact.java
===================================================================
RCS file:
/home/cvs/xml-xindice/java/examples/Addressbook/src/java/addressbook/DeleteContact.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- DeleteContact.java 6 Dec 2001 19:33:52 -0000 1.1
+++ DeleteContact.java 11 Mar 2002 22:32:35 -0000 1.2
@@ -56,7 +56,7 @@
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
- * $Id: DeleteContact.java,v 1.1 2001/12/06 19:33:52 bradford Exp $
+ * $Id: DeleteContact.java,v 1.2 2002/03/11 22:32:35 kstaken Exp $
*/
import java.io.*;
@@ -98,6 +98,12 @@
col.removeResource(col.getResource(dockey) );
} catch (Exception e) {
+ e.printStackTrace();
+
+ // there's not much else we can do if the response is committed
+ if (response.isCommitted())
+ return true;
+
// Catch the exception and send the user to the error page
if (e.getMessage() != null ) {
response.sendRedirect("/Addressbook/error.jsp?error=" +
URLEncoder.encode(e.getMessage()) );
@@ -105,7 +111,6 @@
else {
response.sendRedirect("/Addressbook/error.jsp" );
}
- e.printStackTrace();
}
return true;
1.2 +7 -3
xml-xindice/java/examples/Addressbook/src/java/addressbook/EditContact.java
Index: EditContact.java
===================================================================
RCS file:
/home/cvs/xml-xindice/java/examples/Addressbook/src/java/addressbook/EditContact.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- EditContact.java 6 Dec 2001 19:33:52 -0000 1.1
+++ EditContact.java 11 Mar 2002 22:32:35 -0000 1.2
@@ -56,7 +56,7 @@
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
- * $Id: EditContact.java,v 1.1 2001/12/06 19:33:52 bradford Exp $
+ * $Id: EditContact.java,v 1.2 2002/03/11 22:32:35 kstaken Exp $
*/
import java.io.*;
@@ -110,6 +110,12 @@
col.storeResource(resource);
} catch ( Exception e) {
+ e.printStackTrace();
+
+ // there's not much else we can do if the response is committed
+ if (response.isCommitted())
+ return true;
+
// Catch the exception and send the user to the error page
if (e.getMessage() != null ) {
response.sendRedirect("/Addressbook/error.jsp?error=" +
URLEncoder.encode(e.getMessage()) );
@@ -117,8 +123,6 @@
else {
response.sendRedirect("/Addressbook/error.jsp" );
}
-
- e.printStackTrace();
}
return true;
1.2 +7 -2
xml-xindice/java/examples/Addressbook/src/java/addressbook/ListContacts.java
Index: ListContacts.java
===================================================================
RCS file:
/home/cvs/xml-xindice/java/examples/Addressbook/src/java/addressbook/ListContacts.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- ListContacts.java 6 Dec 2001 19:33:52 -0000 1.1
+++ ListContacts.java 11 Mar 2002 22:32:35 -0000 1.2
@@ -56,7 +56,7 @@
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
- * $Id: ListContacts.java,v 1.1 2001/12/06 19:33:52 bradford Exp $
+ * $Id: ListContacts.java,v 1.2 2002/03/11 22:32:35 kstaken Exp $
*/
import java.io.*;
@@ -101,6 +101,12 @@
group.addResults(results);
} catch (Exception e) {
+ e.printStackTrace();
+
+ // there's not much else we can do if the response is committed
+ if (response.isCommitted())
+ return true;
+
// Catch the exception and send the user to the error page
if (e.getMessage() != null ) {
response.sendRedirect("/Addressbook/error.jsp?error=" +
URLEncoder.encode(e.getMessage()) );
@@ -108,7 +114,6 @@
else {
response.sendRedirect("/Addressbook/error.jsp" );
}
- e.printStackTrace();
}
return true;
1.2 +13 -3
xml-xindice/java/examples/Addressbook/src/java/addressbook/SearchContacts.java
Index: SearchContacts.java
===================================================================
RCS file:
/home/cvs/xml-xindice/java/examples/Addressbook/src/java/addressbook/SearchContacts.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- SearchContacts.java 6 Dec 2001 19:33:52 -0000 1.1
+++ SearchContacts.java 11 Mar 2002 22:32:35 -0000 1.2
@@ -56,7 +56,7 @@
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
- * $Id: SearchContacts.java,v 1.1 2001/12/06 19:33:52 bradford Exp $
+ * $Id: SearchContacts.java,v 1.2 2002/03/11 22:32:35 kstaken Exp $
*/
import java.io.*;
@@ -122,6 +122,12 @@
group.addResults(results);
} catch(Exception e) {
+ e.printStackTrace();
+
+ // there's not much else we can do if the response is committed
+ if (response.isCommitted())
+ return true;
+
// Catch the exception and send the user to the error page
if (e.getMessage() != null ) {
response.sendRedirect("/Addressbook/error.jsp?error=" +
URLEncoder.encode(e.getMessage()) );
@@ -129,7 +135,6 @@
else {
response.sendRedirect("/Addressbook/error.jsp" );
}
- e.printStackTrace();
}
return true;
@@ -165,6 +170,12 @@
group.addResults(results);
} catch(Exception e) {
+ e.printStackTrace();
+
+ // there's not much else we can do if the response is committed
+ if (response.isCommitted())
+ return true;
+
// Catch the exception and send the user to the error page
if (e.getMessage() != null ) {
response.sendRedirect("/Addressbook/error.jsp?error=" +
URLEncoder.encode(e.getMessage()) );
@@ -172,7 +183,6 @@
else {
response.sendRedirect("/Addressbook/error.jsp" );
}
- e.printStackTrace();
}
return true;
1.2 +8 -4
xml-xindice/java/examples/Addressbook/src/java/addressbook/Task.java
Index: Task.java
===================================================================
RCS file:
/home/cvs/xml-xindice/java/examples/Addressbook/src/java/addressbook/Task.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- Task.java 6 Dec 2001 19:33:52 -0000 1.1
+++ Task.java 11 Mar 2002 22:32:35 -0000 1.2
@@ -56,7 +56,7 @@
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
- * $Id: Task.java,v 1.1 2001/12/06 19:33:52 bradford Exp $
+ * $Id: Task.java,v 1.2 2002/03/11 22:32:35 kstaken Exp $
*/
import java.io.*;
@@ -173,15 +173,19 @@
}
} catch( Exception e ) {
- // Catch the exception and send the user to the error page
+ e.printStackTrace();
+
+ // there's not much else we can do if the response is committed
+ if (response.isCommitted())
+ return;
+
+ // Catch the exception and send the user to the error page
if (e.getMessage() != null ) {
response.sendRedirect("/Addressbook/error.jsp?error=" +
URLEncoder.encode(e.getMessage()) );
}
else {
response.sendRedirect("/Addressbook/error.jsp" );
}
-
- e.printStackTrace();
}
}
1.3 +8 -1
xml-xindice/java/src/org/apache/xindice/server/services/HTTPServer.java
Index: HTTPServer.java
===================================================================
RCS file:
/home/cvs/xml-xindice/java/src/org/apache/xindice/server/services/HTTPServer.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- HTTPServer.java 26 Feb 2002 07:10:09 -0000 1.2
+++ HTTPServer.java 11 Mar 2002 22:32:36 -0000 1.3
@@ -56,7 +56,7 @@
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
- * $Id: HTTPServer.java,v 1.2 2002/02/26 07:10:09 kstaken Exp $
+ * $Id: HTTPServer.java,v 1.3 2002/03/11 22:32:36 kstaken Exp $
*/
import org.apache.xindice.server.*;
@@ -738,6 +738,13 @@
boolean foundscript = false;
st = new StringTokenizer(pathinfo, "/", true);
+
+ // protect against platform-specific file separator attacks
+ String tokens = "/";
+ if ( ! File.separator.equals(tokens) )
+ tokens += File.separator;
+
+ st = new StringTokenizer(pathinfo, tokens, true);
while ( st.hasMoreTokens() ) {
token = st.nextToken();
if ( !foundscript && token.endsWith(".jug") ) {
