geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jarek Gawor" <jga...@gmail.com>
Subject Re: svn commit: r727631 - in /geronimo/server/trunk: framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.js
Date Thu, 18 Dec 2008 17:07:31 GMT
Joe,

I think these checks in AbstractRepository should go into the Artifact
class itself. That way, no Artifact instance could ever be created
with a bad group, or artifact name, etc. Also, as a double check I
would add the following to Maven2Repository.getLocation() in order to
check if the created path is still rooted at the rootFile:

if (!path.getCanonicalPath().startsWith(rootFile.getCanonicalPath()) {
  throw new RuntimeException("File " + path + " is not rooted at " + rootFile);
}

Jarek

On Wed, Dec 17, 2008 at 10:54 PM,  <jbohn@apache.org> wrote:
> Author: jbohn
> Date: Wed Dec 17 19:54:10 2008
> New Revision: 727631
>
> URL: http://svn.apache.org/viewvc?rev=727631&view=rev
> Log:
> GERONIMO-4473 validate group, artifact, version and type when adding an archive to the
repo
>
> Modified:
>    geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java
>    geronimo/server/trunk/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp
>
> Modified: geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java
> URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java?rev=727631&r1=727630&r2=727631&view=diff
> ==============================================================================
> --- geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java
(original)
> +++ geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/AbstractRepository.java
Wed Dec 17 19:54:10 2008
> @@ -27,6 +27,8 @@
>  import java.util.HashMap;
>  import java.util.LinkedHashSet;
>  import java.util.Map;
> +import java.util.regex.Matcher;
> +import java.util.regex.Pattern;
>  import java.util.zip.ZipEntry;
>  import java.util.zip.ZipException;
>  import java.util.zip.ZipFile;
> @@ -50,6 +52,7 @@
>  public abstract class AbstractRepository implements WriteableRepository {
>     protected final Logger log = LoggerFactory.getLogger(getClass());
>     private final static ArtifactTypeHandler DEFAULT_TYPE_HANDLER = new CopyArtifactTypeHandler();
> +    private final static Pattern ILLEGAL_CHARS = Pattern.compile("[\\.]{2}|[()<>,;:\\\\/\"\']");
>     protected final File rootFile;
>     private final Map<String, ArtifactTypeHandler> typeHandlers = new HashMap<String,
ArtifactTypeHandler>();
>
> @@ -153,6 +156,20 @@
>     }
>
>     public void copyToRepository(File source, Artifact destination, FileWriteMonitor
monitor) throws IOException {
> +
> +        // ensure there are no illegal chars in destination elements
> +        Matcher groupMatcher = ILLEGAL_CHARS.matcher(destination.getGroupId());
> +        Matcher artifactMatcher = ILLEGAL_CHARS.matcher(destination.getArtifactId());
> +        Matcher versionMatcher = ILLEGAL_CHARS.matcher(destination.getVersion().toString());
> +        Matcher typeMatcher = ILLEGAL_CHARS.matcher(destination.getType());
> +        if (groupMatcher.find() ||
> +            artifactMatcher.find() ||
> +            versionMatcher.find() ||
> +            typeMatcher.find())
> +        {
> +            throw new IllegalArgumentException("Artifact  "+destination+" contains illegal
characters, .. ( ) < > , ; : / \\ \' \" ");
> +        }
> +
>         if(!destination.isResolved()) {
>             throw new IllegalArgumentException("Artifact "+destination+" is not fully
resolved");
>         }
>
> Modified: geronimo/server/trunk/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp
> URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp?rev=727631&r1=727630&r2=727631&view=diff
> ==============================================================================
> --- geronimo/server/trunk/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp
(original)
> +++ geronimo/server/trunk/plugins/console/console-base-portlets/src/main/webapp/WEB-INF/view/repository/normal.jsp
Wed Dec 17 19:54:10 2008
> @@ -37,7 +37,8 @@
>  </style>
>
>  <script language="JavaScript">
> -function <portlet:namespace/>validate() {
> +function <portlet:namespace/>validateForm() {
> +   var illegalChars= /[\.]{2}|[()<>,;:\\/"']/ ;
>    if (! (document.<portlet:namespace/>fileSelect.local.value
>       && document.<portlet:namespace/>fileSelect.group.value
>       && document.<portlet:namespace/>fileSelect.artifact.value
> @@ -46,6 +47,18 @@
>    {
>       alert("File, Group, Artifact, Version, and Type are all required fields");
>       return false;
> +   } else if (document.<portlet:namespace/>fileSelect.group.value.match(illegalChars))
{
> +       alert("Group contains invalid characters - must only contain letters, numbers,
and underscores");
> +       return false;
> +   } else if (document.<portlet:namespace/>fileSelect.artifact.value.match(illegalChars))
{
> +       alert("Artifact contains invalid characters - must only contain letters, numbers,
and underscores");
> +       return false;
> +   } else if (document.<portlet:namespace/>fileSelect.version.value.match(illegalChars))
{
> +       alert("Version contains invalid characters - must only contain letters, numbers,
and underscores");
> +       return false;
> +   } else if (document.<portlet:namespace/>fileSelect.fileType.value.match(illegalChars))
{
> +       alert("File type contains invalid characters - must only contain letters, numbers,
and underscores");
> +       return false;
>    }
>  }
>
> @@ -94,7 +107,7 @@
>  <table width="100%">
>  <tr>
>   <td align="center">
> -  <form onsubmit="return <portlet:namespace/>validate();" enctype="multipart/form-data"
name="<portlet:namespace/>fileSelect" method="POST" action="<portlet:actionURL><portlet:param
name="action" value="deploy"/></portlet:actionURL>">
> +  <form onsubmit="return <portlet:namespace/>validateForm();" enctype="multipart/form-data"
name="<portlet:namespace/>fileSelect" method="POST" action="<portlet:actionURL><portlet:param
name="action" value="deploy"/></portlet:actionURL>">
>   <table>
>     <tr>
>       <th colspan="2"><fmt:message key="repository.normal.addArchiveToRepository"/></th>
>
>
>

Mime
View raw message