myfaces-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lu4...@apache.org
Subject svn commit: r1212603 - in /myfaces/core/branches/2.0.x: impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java shared/src/main/java/org/apache/myfaces/shared/resource/ResourceValidationUtils.java
Date Fri, 09 Dec 2011 19:58:43 GMT
Author: lu4242
Date: Fri Dec  9 19:58:43 2011
New Revision: 1212603

URL: http://svn.apache.org/viewvc?rev=1212603&view=rev
Log:
MYFACES-3414 MyFaces ResourceImpl$ValueExpressionFilterInputStream does not handle resolving
long URLs

Added:
    myfaces/core/branches/2.0.x/shared/src/main/java/org/apache/myfaces/shared/resource/ResourceValidationUtils.java
  (with props)
Modified:
    myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java

Modified: myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java
URL: http://svn.apache.org/viewvc/myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java?rev=1212603&r1=1212602&r2=1212603&view=diff
==============================================================================
--- myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java
(original)
+++ myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java
Fri Dec  9 19:58:43 2011
@@ -18,13 +18,13 @@
  */
 package org.apache.myfaces.application;
 
-import org.apache.myfaces.renderkit.ErrorPageWriter;
 import org.apache.myfaces.shared.resource.ResourceHandlerCache;
 import org.apache.myfaces.shared.resource.ResourceHandlerCache.ResourceValue;
 import org.apache.myfaces.shared.resource.ResourceHandlerSupport;
 import org.apache.myfaces.shared.resource.ResourceImpl;
 import org.apache.myfaces.shared.resource.ResourceLoader;
 import org.apache.myfaces.shared.resource.ResourceMeta;
+import org.apache.myfaces.shared.resource.ResourceValidationUtils;
 import org.apache.myfaces.shared.util.ClassUtils;
 import org.apache.myfaces.shared.util.ExternalContextUtils;
 import org.apache.myfaces.shared.util.StringUtils;
@@ -85,6 +85,15 @@ public class ResourceHandlerImpl extends
     {
         Resource resource = null;
         
+        if (!ResourceValidationUtils.isValidResourceName(resourceName))
+        {
+            return null;
+        }
+        if (libraryName != null && !ResourceValidationUtils.isValidLibraryName(libraryName))
+        {
+            return null;
+        }
+        
         if (contentType == null)
         {
             //Resolve contentType using ExternalContext.getMimeType
@@ -244,9 +253,13 @@ public class ResourceHandlerImpl extends
     public String getRendererTypeForResourceName(String resourceName)
     {
         if (resourceName.endsWith(".js"))
+        {
             return "javax.faces.resource.Script";
+        }
         else if (resourceName.endsWith(".css"))
+        {
             return "javax.faces.resource.Stylesheet";
+        }
         return null;
     }
 
@@ -296,6 +309,12 @@ public class ResourceHandlerImpl extends
             {
                 resourceName = resourceBasePath
                         .substring(ResourceHandler.RESOURCE_IDENTIFIER.length() + 1);
+                
+                if (resourceBasePath != null && !ResourceValidationUtils.isValidResourceName(resourceName))
+                {
+                    httpServletResponse.setStatus(HttpServletResponse.SC_NOT_FOUND);
+                    return;
+                }
             }
             else
             {
@@ -307,6 +326,12 @@ public class ResourceHandlerImpl extends
             String libraryName = facesContext.getExternalContext()
                     .getRequestParameterMap().get("ln");
     
+            if (libraryName != null && !ResourceValidationUtils.isValidLibraryName(libraryName))
+            {
+                httpServletResponse.setStatus(HttpServletResponse.SC_NOT_FOUND);
+                return;
+            }
+            
             Resource resource = null;
             if (libraryName != null)
             {
@@ -368,9 +393,11 @@ public class ResourceHandlerImpl extends
             {
                 //TODO: Log using a localized message (which one?)
                 if (log.isLoggable(Level.SEVERE))
+                {
                     log.severe("Error trying to load resource " + resourceName
                             + " with library " + libraryName + " :"
                             + e.getMessage());
+                }
                 httpServletResponse.setStatus(HttpServletResponse.SC_NOT_FOUND);
             }
         //}
@@ -445,6 +472,10 @@ public class ResourceHandlerImpl extends
             
             if (localePrefix != null)
             {
+                if (!ResourceValidationUtils.isValidLocalePrefix(localePrefix))
+                {
+                    return null;
+                }
                 return localePrefix;
             }
         }
@@ -517,6 +548,11 @@ public class ResourceHandlerImpl extends
 
         String pathToLib = null;
         
+        if (libraryName != null && !ResourceValidationUtils.isValidLibraryName(libraryName))
+        {
+            return false;
+        }
+        
         if (localePrefix != null)
         {
             //Check with locale
@@ -570,7 +606,9 @@ public class ResourceHandlerImpl extends
     private ResourceHandlerCache getResourceLoaderCache()
     {
         if (_resourceHandlerCache == null)
+        {
             _resourceHandlerCache = new ResourceHandlerCache();
+        }
         return _resourceHandlerCache;
     }
 

Added: myfaces/core/branches/2.0.x/shared/src/main/java/org/apache/myfaces/shared/resource/ResourceValidationUtils.java
URL: http://svn.apache.org/viewvc/myfaces/core/branches/2.0.x/shared/src/main/java/org/apache/myfaces/shared/resource/ResourceValidationUtils.java?rev=1212603&view=auto
==============================================================================
--- myfaces/core/branches/2.0.x/shared/src/main/java/org/apache/myfaces/shared/resource/ResourceValidationUtils.java
(added)
+++ myfaces/core/branches/2.0.x/shared/src/main/java/org/apache/myfaces/shared/resource/ResourceValidationUtils.java
Fri Dec  9 19:58:43 2011
@@ -0,0 +1,94 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.myfaces.shared.resource;
+
+public class ResourceValidationUtils
+{
+    public static boolean isValidResourceName(String resourceName)
+    {
+        return validate(resourceName, true);
+    }
+    
+    public static boolean isValidLibraryName(String libraryName)
+    {
+        return validate(libraryName, false);
+    }
+    
+    public static boolean isValidLocalePrefix(String localePrefix)
+    {
+        for (int i = 0; i < localePrefix.length(); i++)
+        {
+            char c = localePrefix.charAt(i);
+            if ( (c >='A' && c <='Z') || c == '_' || (c >='a' &&
c <='z') || (c >='0' && c <='9') )
+            {
+                continue;
+            }
+            else
+            {
+                return false;
+            }
+        }
+        return true;
+    }
+    
+    private static boolean validate(String expression, boolean allowSlash)
+    {
+        for (int i = 0; i < expression.length(); i++)
+        {
+            char c = expression.charAt(i);
+
+            // Enforce NameChar convention as specified
+            // http://www.w3.org/TR/REC-xml/#NT-NameChar
+            // Valid characters for NameChar
+            // ":" | [A-Z] | "_" | [a-z] | [#xC0-#xD6] | [#xD8-#xF6] | 
+            // [#xF8-#x2FF] | [#x370-#x37D] | [#x37F-#x1FFF] | [#x200C-#x200D] | 
+            // [#x2070-#x218F] | [#x2C00-#x2FEF] | [#x3001-#xD7FF] | [#xF900-#xFDCF] 
+            // | [#xFDF0-#xFFFD] | [#x10000-#xEFFFF]
+            // "-" | "." | [0-9] | #xB7 | [#x0300-#x036F] | [#x203F-#x2040]
+            // Excluding ":" 
+            if ( (c >='A' && c <='Z') || c == '_' || (c >='a' &&
c <='z') || 
+                 (c >=0xC0 && c <=0xD6) || (c >=0xD8 && c <=0xF6)
|| 
+                 (c >=0xF8 && c <=0x2FF) || (c >=0x370 && c <=0x37D)
|| 
+                 (c >=0x37F && c <=0x1FFF) || (c >=0x200C && c <=0x200D)
||
+                 (c >=0x2070 && c <=0x218F) || (c >=0x2C00 && c
<=0x2FEF) || 
+                 (c >=0x3001 && c <=0xD7FF) || (c >=0xF900 && c
<=0xFDCF) ||
+                 (c >=0xFDF0 && c <=0xFFFD) || (c >=0x10000 && c
<=0xEFFFF) ||
+                 c == '-' || (c >='0' && c <='9') || c == 0xB7 || (c >=0x300
&& c <=0x36F) || 
+                 (c >=0x203F && c <=0x2040) || (allowSlash && c ==
'/')
+                 )
+            {
+                continue;
+            }
+            else if (c == '.' && i+2 < expression.length())
+            {
+                char c1 = expression.charAt(i+1);
+                char c2 = expression.charAt(i+2);
+                if (c == c1 && (c2 == '/' || c2 == '\\' ) )
+                {
+                    return false;
+                }
+            }
+            else
+            {
+                return false;
+            }
+        }
+        return true;
+    }
+}

Propchange: myfaces/core/branches/2.0.x/shared/src/main/java/org/apache/myfaces/shared/resource/ResourceValidationUtils.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message