geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jb...@apache.org
Subject svn commit: r758297 [2/2] - in /geronimo/server/trunk: framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/repository/ framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/util/ framework/modules/geronimo-se...
Date Wed, 25 Mar 2009 15:11:59 GMT
Modified: geronimo/server/trunk/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp?rev=758297&r1=758296&r2=758297&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp
(original)
+++ geronimo/server/trunk/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp
Wed Mar 25 15:11:16 2009
@@ -42,7 +42,7 @@
 }
 function validate() {
    if (! (document.editView.name.value 
-      && document.editView.description.value  ))
+      && document.editView.minxss_description.value  ))
    {
       alert("Name and Description are required fields");
       return false;
@@ -91,7 +91,7 @@
     <tr>
       <td><label for="<portlet:namespace/>description"><fmt:message
key="monitor.common.desc"/></label>:</td>
       <td>&nbsp;</td>
-      <td align="right"><textarea rows="5" cols="50" name="description" id="<portlet:namespace/>description"><%=view.getDescription()%></textarea></td>
+      <td align="right"><textarea rows="5" cols="50" name="minxss_description" id="<portlet:namespace/>description"><%=view.getDescription()%></textarea></td>
     </tr>
     <tr>
       <td valign="top"><fmt:message key="monitor.common.graph"/>:</td>

Modified: geronimo/server/trunk/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/web.xml?rev=758297&r1=758296&r2=758297&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/web.xml
(original)
+++ geronimo/server/trunk/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/web.xml
Wed Mar 25 15:11:16 2009
@@ -19,6 +19,23 @@
 <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
 
+    <!-- XSS/XSRF filter -->
+    <filter>
+        <filter-name>XSSXSRFFilter</filter-name>
+        <filter-class>org.apache.geronimo.console.filter.XSSXSRFFilter</filter-class>
+            <init-param>
+                <param-name>enableXSRF</param-name>
+                <param-value>false</param-value>
+            </init-param>
+    </filter>
+    <filter-mapping>
+        <filter-name>XSSXSRFFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+    <listener>
+        <listener-class>org.apache.geronimo.console.filter.XSSXSRFFilter</listener-class>
+    </listener>
+
     <servlet>
         <servlet-name>popUpGraph</servlet-name>
         <servlet-class>org.apache.geronimo.monitoring.console.PopUpGraphServlet</servlet-class>

Modified: geronimo/server/trunk/plugins/system-database/sysdb-portlets/src/main/java/org/apache/geronimo/console/internaldb/RunSQLHelper.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/system-database/sysdb-portlets/src/main/java/org/apache/geronimo/console/internaldb/RunSQLHelper.java?rev=758297&r1=758296&r2=758297&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/system-database/sysdb-portlets/src/main/java/org/apache/geronimo/console/internaldb/RunSQLHelper.java
(original)
+++ geronimo/server/trunk/plugins/system-database/sysdb-portlets/src/main/java/org/apache/geronimo/console/internaldb/RunSQLHelper.java
Wed Mar 25 15:11:16 2009
@@ -29,6 +29,8 @@
 
 import org.apache.geronimo.console.BasePortlet;
 
+import org.apache.geronimo.kernel.util.InputUtils;
+
 public class RunSQLHelper {
 
     private static final Logger log = LoggerFactory.getLogger(RunSQLHelper.class);
@@ -48,6 +50,10 @@
     }
     
     public boolean createDB(String dbName, PortletRequest request) {
+
+        // ensure there are no illegal chars in DB name
+        InputUtils.validateSafeInput(dbName);
+
         Connection conn = null;
         try {
             conn = DerbyConnectionUtil.getDerbyConnection(dbName,

Modified: geronimo/server/trunk/plugins/system-database/sysdb-portlets/src/main/webapp/WEB-INF/view/internaldb/runSQLNormal.jsp
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/system-database/sysdb-portlets/src/main/webapp/WEB-INF/view/internaldb/runSQLNormal.jsp?rev=758297&r1=758296&r2=758297&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/system-database/sysdb-portlets/src/main/webapp/WEB-INF/view/internaldb/runSQLNormal.jsp
(original)
+++ geronimo/server/trunk/plugins/system-database/sysdb-portlets/src/main/webapp/WEB-INF/view/internaldb/runSQLNormal.jsp
Wed Mar 25 15:11:16 2009
@@ -29,12 +29,16 @@
 var <portlet:namespace/>requiredFields2 = new Array("sqlStmts");
 
 function <portlet:namespace/>validateForm1(){
+    var illegalChars= /[\.]{2}|[()<>,;:\\/"'\|]/ ;
     var action = document.forms[<portlet:namespace/>formName].elements['action'];
     action.value="Create";
-    var valid = textElementsNotEmpty(<portlet:namespace/>formName, <portlet:namespace/>requiredFields);
-    if (!valid) {
+    if (!textElementsNotEmpty(<portlet:namespace/>formName, <portlet:namespace/>requiredFields))

+    {
         addErrorMessage("<portlet:namespace/>", '<fmt:message key="internaldb.common.emptyText"/>');
         return false;
+    } else if (document.forms[<portlet:namespace/>formName].createDB.value.match(illegalChars))
{
+        alert("Database name contains illegal characters");
+        return false;
     }
     else
         return true;

Modified: geronimo/server/trunk/plugins/welcome/geronimo-welcome/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/welcome/geronimo-welcome/pom.xml?rev=758297&r1=758296&r2=758297&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/welcome/geronimo-welcome/pom.xml (original)
+++ geronimo/server/trunk/plugins/welcome/geronimo-welcome/pom.xml Wed Mar 25 15:11:16 2009
@@ -40,6 +40,12 @@
 
     <dependencies>
         <dependency>
+            <groupId>org.apache.geronimo.plugins</groupId>
+            <artifactId>console-filter</artifactId>
+            <version>${version}</version>
+        </dependency>
+
+        <dependency>
             <groupId>org.apache.geronimo.framework</groupId>
             <artifactId>geronimo-plugin</artifactId>
             <version>${version}</version>

Modified: geronimo/server/trunk/plugins/welcome/geronimo-welcome/src/main/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/welcome/geronimo-welcome/src/main/webapp/WEB-INF/web.xml?rev=758297&r1=758296&r2=758297&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/welcome/geronimo-welcome/src/main/webapp/WEB-INF/web.xml
(original)
+++ geronimo/server/trunk/plugins/welcome/geronimo-welcome/src/main/webapp/WEB-INF/web.xml
Wed Mar 25 15:11:16 2009
@@ -26,46 +26,17 @@
         Welcome to Geronimo
     </description>
 
-    <!--<servlet>-->
-        <!--<servlet-name>jsp_sample_installer</servlet-name>-->
-        <!--<servlet-class>org.apache.geronimo.welcome.AbsentSampleServlet</servlet-class>-->
-        <!--<init-param>-->
-            <!--<param-name>moduleId</param-name>-->
-            <!--<param-value>org.apache.geronimo.samples/jsp-examples-SERVER//car</param-value>-->
-        <!--</init-param>-->
-    <!--</servlet>-->
-
-    <!--<servlet>-->
-        <!--<servlet-name>servlet_sample_installer</servlet-name>-->
-        <!--<servlet-class>org.apache.geronimo.welcome.AbsentSampleServlet</servlet-class>-->
-        <!--<init-param>-->
-            <!--<param-name>moduleId</param-name>-->
-            <!--<param-value>org.apache.geronimo.samples/servlet-examples-SERVER//car</param-value>-->
-        <!--</init-param>-->
-    <!--</servlet>-->
-
-    <!--<servlet>-->
-        <!--<servlet-name>ldap_sample_installer</servlet-name>-->
-        <!--<servlet-class>org.apache.geronimo.welcome.AbsentSampleServlet</servlet-class>-->
-        <!--<init-param>-->
-            <!--<param-name>moduleId</param-name>-->
-            <!--<param-value>org.apache.geronimo.samples/ldap-sample-app-SERVER//car</param-value>-->
-        <!--</init-param>-->
-    <!--</servlet>-->
-
-    <!--<servlet-mapping>-->
-        <!--<servlet-name>jsp_sample_installer</servlet-name>-->
-        <!--<url-pattern>/jsp-examples/*</url-pattern>-->
-    <!--</servlet-mapping>-->
-
-    <!--<servlet-mapping>-->
-        <!--<servlet-name>servlet_sample_installer</servlet-name>-->
-        <!--<url-pattern>/servlets-examples/*</url-pattern>-->
-    <!--</servlet-mapping>-->
-
-    <!---<servlet-mapping>-->
-        <!--<servlet-name>ldap_sample_installer</servlet-name>-->
-        <!--<url-pattern>/ldap-demo/*</url-pattern>-->
-    <!--</servlet-mapping>-->
+    <!-- XSS/XSRF filter -->
+    <filter>
+        <filter-name>XSSXSRFFilter</filter-name>
+        <filter-class>org.apache.geronimo.console.filter.XSSXSRFFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>XSSXSRFFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+    <listener>
+        <listener-class>org.apache.geronimo.console.filter.XSSXSRFFilter</listener-class>
+    </listener>
 
 </web-app>



Mime
View raw message