jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1581770 - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/ oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/
Date Wed, 26 Mar 2014 09:47:12 GMT
Author: angela
Date: Wed Mar 26 09:47:11 2014
New Revision: 1581770

URL: http://svn.apache.org/r1581770
Log:
OAK-1615 : Incomplete escaping in XPathConditionVisitor

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/QueryUtil.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java
    jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/QueryUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/QueryUtil.java?rev=1581770&r1=1581769&r2=1581770&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/QueryUtil.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/QueryUtil.java
Wed Mar 26 09:47:11 2014
@@ -22,6 +22,7 @@ import javax.jcr.RepositoryException;
 import javax.jcr.Value;
 
 import org.apache.jackrabbit.api.security.user.QueryBuilder;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
 import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
 import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
@@ -82,7 +83,7 @@ public final class QueryUtil {
      * @return escaped string
      */
     @Nonnull
-    public static String escapeNodeName(String string) {
+    public static String escapeNodeName(@Nonnull String string) {
         StringBuilder result = new StringBuilder();
 
         int k = 0;
@@ -107,11 +108,12 @@ public final class QueryUtil {
     }
 
     @Nonnull
-    public static String format(Value value) throws RepositoryException {
+    public static String format(@Nonnull Value value) throws RepositoryException {
+        String s;
         switch (value.getType()) {
             case PropertyType.STRING:
             case PropertyType.BOOLEAN:
-                return '\'' + value.getString() + '\'';
+                return '\'' + QueryUtil.escapeForQuery(value.getString()) + '\'';
 
             case PropertyType.LONG:
             case PropertyType.DOUBLE:
@@ -126,7 +128,12 @@ public final class QueryUtil {
     }
 
     @Nonnull
-    public static String escapeForQuery(String value) {
+    public static String escapeForQuery(@Nonnull String oakName, @Nonnull NamePathMapper
namePathMapper) {
+        return escapeForQuery(namePathMapper.getJcrName(oakName));
+    }
+
+    @Nonnull
+    public static String escapeForQuery(@Nonnull String value) {
         StringBuilder ret = new StringBuilder();
         for (int i = 0; i < value.length(); i++) {
             char c = value.charAt(i);
@@ -142,7 +149,7 @@ public final class QueryUtil {
     }
 
     @Nonnull
-    public static RelationOp getCollation(QueryBuilder.Direction direction) throws RepositoryException
{
+    public static RelationOp getCollation(@Nonnull QueryBuilder.Direction direction) throws
RepositoryException {
         switch (direction) {
             case ASCENDING:
                 return RelationOp.GT;

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java?rev=1581770&r1=1581769&r2=1581770&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java
Wed Mar 26 09:47:11 2014
@@ -47,9 +47,9 @@ class XPathConditionVisitor implements C
     public void visit(Condition.Node condition) throws RepositoryException {
         statement.append('(')
                 .append("jcr:like(@")
-                .append(namePathMapper.getJcrName(UserConstants.REP_PRINCIPAL_NAME))
+                .append(QueryUtil.escapeForQuery(UserConstants.REP_PRINCIPAL_NAME, namePathMapper))
                 .append(",'")
-                .append(condition.getPattern())
+                .append(QueryUtil.escapeForQuery(condition.getPattern()))
                 .append("')")
                 .append(" or ")
                 .append("jcr:like(fn:name(),'")
@@ -62,15 +62,15 @@ class XPathConditionVisitor implements C
     public void visit(Condition.Property condition) throws RepositoryException {
         RelationOp relOp = condition.getOp();
         if (relOp == RelationOp.EX) {
-            statement.append(condition.getRelPath());
+            statement.append(QueryUtil.escapeForQuery(condition.getRelPath()));
         } else if (relOp == RelationOp.LIKE) {
             statement.append("jcr:like(")
-                    .append(condition.getRelPath())
+                    .append(QueryUtil.escapeForQuery(condition.getRelPath()))
                     .append(",'")
-                    .append(condition.getPattern())
+                    .append(QueryUtil.escapeForQuery(condition.getPattern()))
                     .append("')");
         } else {
-            statement.append(condition.getRelPath())
+            statement.append(QueryUtil.escapeForQuery(condition.getRelPath()))
                     .append(condition.getOp().getOp())
                     .append(QueryUtil.format(condition.getValue()));
         }
@@ -79,9 +79,9 @@ class XPathConditionVisitor implements C
     @Override
     public void visit(Condition.Contains condition) {
         statement.append("jcr:contains(")
-                .append(condition.getRelPath())
+                .append(QueryUtil.escapeForQuery(condition.getRelPath()))
                 .append(",'")
-                .append(condition.getSearchExpr())
+                .append(QueryUtil.escapeForQuery(condition.getSearchExpr()))
                 .append("')");
     }
 
@@ -97,15 +97,15 @@ class XPathConditionVisitor implements C
         }
         if (isAdmin) {
             statement.append('@')
-                    .append(namePathMapper.getJcrName(JcrConstants.JCR_PRIMARYTYPE))
+                    .append(QueryUtil.escapeForQuery(JcrConstants.JCR_PRIMARYTYPE, namePathMapper))
                     .append("='")
-                    .append(namePathMapper.getJcrName(UserConstants.NT_REP_USER))
+                    .append(QueryUtil.escapeForQuery(UserConstants.NT_REP_USER, namePathMapper))
                     .append('\'');
         } else {
             statement.append('@')
-                    .append(namePathMapper.getJcrName(UserConstants.REP_IMPERSONATORS))
+                    .append(QueryUtil.escapeForQuery(UserConstants.REP_IMPERSONATORS, namePathMapper))
                     .append("='")
-                    .append(condition.getName())
+                    .append(QueryUtil.escapeForQuery(condition.getName()))
                     .append('\'');
         }
     }

Modified: jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java?rev=1581770&r1=1581769&r2=1581770&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java
(original)
+++ jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java
Wed Mar 26 09:47:11 2014
@@ -36,6 +36,7 @@ import org.apache.jackrabbit.api.securit
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
 import org.junit.Test;
 
 /**
@@ -611,12 +612,11 @@ public class UserQueryTest extends Abstr
         final String adminPrincipalName = userMgr.getAuthorizable(superuser.getUserID()).getPrincipal().getName();
         Iterator<Authorizable> result = userMgr.findAuthorizables(new Query() {
             public <T> void build(QueryBuilder<T> builder) {
-                builder.setCondition(builder.
-                        impersonates(adminPrincipalName));
+                builder.setCondition(builder.impersonates(adminPrincipalName));
             }
         });
 
-        Iterator<Authorizable> expected = userMgr.findAuthorizables("rep:principalName",
null, UserManager.SEARCH_TYPE_USER);
+        Iterator<Authorizable> expected = userMgr.findAuthorizables(UserConstants.REP_PRINCIPAL_NAME,
null, UserManager.SEARCH_TYPE_USER);
         assertTrue(result.hasNext());
         assertSameElements(expected, result);
     }



Mime
View raw message