Author: reschke Date: Fri Feb 26 09:43:43 2016 New Revision: 1732439 URL: http://svn.apache.org/viewvc?rev=1732439&view=rev Log: JCR-3950: fix XSS vulnerability in DirListingExportHandler (ported to 2.8) Modified: jackrabbit/branches/2.8/ (props changed) jackrabbit/branches/2.8/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java jackrabbit/branches/2.8/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java jackrabbit/branches/2.8/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java Propchange: jackrabbit/branches/2.8/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Fri Feb 26 09:43:43 2016 @@ -1,3 +1,3 @@ /jackrabbit/branches/JCR-2272:1173165-1176545 /jackrabbit/sandbox/JCR-2415-lucene-3.0:1060860-1064038 -/jackrabbit/trunk:1592881,1597717,1597799,1597806,1598035,1598058,1603769,1603934,1609712,1625561,1634584,1667787,1674859,1680757,1729382 +/jackrabbit/trunk:1592881,1597717,1597799,1597806,1598035,1598058,1603769,1603934,1609712,1625561,1634584,1667787,1674859,1680757,1729382,1732436 Modified: jackrabbit/branches/2.8/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.8/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java?rev=1732439&r1=1732438&r2=1732439&view=diff ============================================================================== --- jackrabbit/branches/2.8/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java (original) +++ jackrabbit/branches/2.8/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java Fri Feb 26 09:43:43 2016 @@ -209,13 +209,28 @@ public class Text { } /** - * Replaces illegal XML characters in the given string by their corresponding - * predefined entity references. + * Replaces XML characters in the given string that might need escaping + * as XML text or attribute * * @param text text to be escaped * @return a string */ public static String encodeIllegalXMLCharacters(String text) { + return encodeMarkupCharacters(text, false); + } + + /** + * Replaces HTML characters in the given string that might need escaping + * as HTML text or attribute + * + * @param text text to be escaped + * @return a string + */ + public static String encodeIllegalHTMLCharacters(String text) { + return encodeMarkupCharacters(text, true); + } + + private static String encodeMarkupCharacters(String text, boolean isHtml) { if (text == null) { throw new IllegalArgumentException("null argument"); } @@ -250,7 +265,7 @@ public class Text { } else if (ch == '"') { buf.append("""); } else if (ch == '\'') { - buf.append("'"); + buf.append(isHtml ? "'" : "'"); } } if (buf == null) { Modified: jackrabbit/branches/2.8/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.8/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java?rev=1732439&r1=1732438&r2=1732439&view=diff ============================================================================== --- jackrabbit/branches/2.8/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java (original) +++ jackrabbit/branches/2.8/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/util/TextTest.java Fri Feb 26 09:43:43 2016 @@ -195,4 +195,11 @@ public class TextTest extends TestCase { assertEquals("local\"name", Text.escapeIllegalJcrChars("local\"name")); } + public void testEscapeXML() { + assertEquals("&<>'"", Text.encodeIllegalXMLCharacters("&<>'\"")); + } + + public void testEscapeHTML() { + assertEquals("&<>'"", Text.encodeIllegalHTMLCharacters("&<>'\"")); + } } Modified: jackrabbit/branches/2.8/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.8/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java?rev=1732439&r1=1732438&r2=1732439&view=diff ============================================================================== --- jackrabbit/branches/2.8/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java (original) +++ jackrabbit/branches/2.8/jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java Fri Feb 26 09:43:43 2016 @@ -146,14 +146,14 @@ public class DirListingExportHandler imp String repURL = rep.getDescriptor(Repository.REP_VENDOR_URL_DESC); String repVersion = rep.getDescriptor(Repository.REP_VERSION_DESC); writer.print(""); - writer.print(repName); + writer.print(Text.encodeIllegalHTMLCharacters(repName)); writer.print(" "); - writer.print(repVersion); + writer.print(Text.encodeIllegalHTMLCharacters(repVersion)); writer.print(" "); - writer.print(item.getPath()); + writer.print(Text.encodeIllegalHTMLCharacters(item.getPath())); writer.print(""); writer.print("

"); - writer.print(item.getPath()); + writer.print(Text.encodeIllegalHTMLCharacters(item.getPath())); writer.print("


Powered by "); - writer.print(repName); + writer.print(Text.encodeIllegalHTMLCharacters(repName)); writer.print(" version "); - writer.print(repVersion); + writer.print(Text.encodeIllegalHTMLCharacters(repVersion)); writer.print(""); } catch (RepositoryException e) { // should not occur @@ -210,14 +210,14 @@ public class DirListingExportHandler imp String repURL = rep.getDescriptor(Repository.REP_VENDOR_URL_DESC); String repVersion = rep.getDescriptor(Repository.REP_VERSION_DESC); writer.print(""); - writer.print(repName); + writer.print(Text.encodeIllegalHTMLCharacters(repName)); writer.print(" "); - writer.print(repVersion); + writer.print(Text.encodeIllegalHTMLCharacters(repVersion)); writer.print(" "); - writer.print(resource.getResourcePath()); + writer.print(Text.encodeIllegalHTMLCharacters(resource.getResourcePath())); writer.print(""); writer.print("

"); - writer.print(resource.getResourcePath()); + writer.print(Text.encodeIllegalHTMLCharacters(resource.getResourcePath())); writer.print("


Powered by "); - writer.print(repName); + writer.print(Text.encodeIllegalHTMLCharacters(repName)); writer.print(" version "); - writer.print(repVersion); + writer.print(Text.encodeIllegalHTMLCharacters(repVersion)); writer.print(""); } catch (RepositoryException e) { // should not occur