incubator-cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhais...@apache.org
Subject git commit: refs/heads/4.1 - CLOUDSTACK-863: Fix Non-printable characters in api call
Date Sat, 16 Feb 2013 06:27:04 GMT
Updated Branches:
  refs/heads/4.1 8863031c4 -> ed06c1694


CLOUDSTACK-863: Fix Non-printable characters in api call

Non-printable characters results in empty pages for all users loading the
corrupted object in the web interface. It also results in the API call results
getting truncated with an error when it encounters the non-printable characters.
Every decoded parameter value is checked for control character using OWASP's
ESAPI library.

Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
(cherry picked from commit 87b668b71b34c93e9ba85d4708a1c04f4020f6bf)

Signed-off-by: Rohit Yadav <bhaisaab@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/ed06c169
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/ed06c169
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/ed06c169

Branch: refs/heads/4.1
Commit: ed06c16944ec28b254a5f1c7acb9152c44918467
Parents: 8863031
Author: Likitha Shetty <likitha.shetty@citrix.com>
Authored: Mon Feb 11 16:53:12 2013 +0530
Committer: Rohit Yadav <bhaisaab@apache.org>
Committed: Sat Feb 16 11:56:50 2013 +0530

----------------------------------------------------------------------
 server/src/com/cloud/api/ApiServer.java    |    6 ++++++
 utils/pom.xml                              |    5 +++++
 utils/src/com/cloud/utils/StringUtils.java |    5 +++++
 3 files changed, 16 insertions(+), 0 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/ed06c169/server/src/com/cloud/api/ApiServer.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java
index ee513df..6f4c932 100755
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@@ -326,6 +326,12 @@ public class ApiServer implements HttpRequestHandler {
                         continue;
                     }
                     String[] value = (String[]) params.get(key);
+                    // fail if parameter value contains ASCII control (non-printable) characters
+                    String newValue = StringUtils.stripControlCharacters(value[0]);
+                    if ( !newValue.equals(value[0]) ) {
+                        throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Received
value " + value[0] + " for parameter "
+                                + key + " is invalid, contains illegal ASCII non-printable
characters");
+                    }
                     paramMap.put(key, value[0]);
                 }
 

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/ed06c169/utils/pom.xml
----------------------------------------------------------------------
diff --git a/utils/pom.xml b/utils/pom.xml
index 937fad3..e4fd2b0 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -157,6 +157,11 @@
       <artifactId>reflections</artifactId>
       <version>${cs.reflections.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.owasp.esapi</groupId>
+      <artifactId>esapi</artifactId>
+      <version>2.0.1</version>
+    </dependency>
   </dependencies>
   <build>
     <defaultGoal>install</defaultGoal>

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/ed06c169/utils/src/com/cloud/utils/StringUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/StringUtils.java b/utils/src/com/cloud/utils/StringUtils.java
index 8f0a503..14ff4b1 100644
--- a/utils/src/com/cloud/utils/StringUtils.java
+++ b/utils/src/com/cloud/utils/StringUtils.java
@@ -23,6 +23,8 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.regex.Pattern;
 
+import org.owasp.esapi.StringUtilities;
+
 // StringUtils exists in Apache Commons Lang, but rather than import the entire JAR to our
system, for now
 // just implement the method needed
 public class StringUtils {
@@ -150,6 +152,9 @@ public class StringUtils {
         return cleanResult;
     }
 
+    public static String stripControlCharacters(String s) {
+        return StringUtilities.stripControls(s);
+    }
 
     public static int formatForOutput(String text, int start, int columns, char separator)
{
         if (start >= text.length()) {


Mime
View raw message