james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nor...@apache.org
Subject svn commit: r836203 - in /james/hupa/trunk/server/src: main/java/org/apache/hupa/server/handler/ test/java/org/apache/hupa/server/handler/ test/java/org/apache/hupa/server/servlet/
Date Sat, 14 Nov 2009 16:17:24 GMT
Author: norman
Date: Sat Nov 14 16:17:23 2009
New Revision: 836203

URL: http://svn.apache.org/viewvc?rev=836203&view=rev
Log:
fixes dangerous-attributes removal regex (HUPA-52). Thx to Manuel for submitting this patch

Modified:
    james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java
    james/hupa/trunk/server/src/test/java/org/apache/hupa/server/handler/GetMessageDetailsHandlerTest.java
    james/hupa/trunk/server/src/test/java/org/apache/hupa/server/servlet/DownloadAttachmentServletTest.java

Modified: james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java
URL: http://svn.apache.org/viewvc/james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java?rev=836203&r1=836202&r2=836203&view=diff
==============================================================================
--- james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java
(original)
+++ james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java
Sat Nov 14 16:17:23 2009
@@ -165,7 +165,6 @@
             IOException {
     	boolean isHTML = false;
         if (con instanceof String) {
-            System.out.println("sc: " + message.getContentType());
             if (message.getContentType().startsWith("text/html")) {
                 isHTML = true;
             } else {
@@ -177,7 +176,6 @@
 
             Multipart mp = (Multipart) con;
             String multipartContentType = mp.getContentType().toLowerCase();
-            System.out.println("mc: " + multipartContentType);
             
             String text = null;
 
@@ -188,7 +186,6 @@
                     Part part = mp.getBodyPart(i);
 
                     String contentType = part.getContentType().toLowerCase();
-                    System.out.println("c: " + contentType);
 
                     if (text == null && contentType.startsWith("text/plain") ) {
                         isHTML = false;
@@ -230,7 +227,6 @@
             Part part = mp.getBodyPart(i);
             
             String contentType = part.getContentType().toLowerCase();
-            System.out.println("m: " + contentType);
 
             // we prefer html
             if (text == null && contentType.startsWith("text/plain")) {
@@ -250,9 +246,9 @@
     static Pattern regex_http = Pattern.compile(HTML_LINK_REGEXP);
     static String repl_http = "<a href=\"$1\">$1</a>";
 
-    static String EMAIL_REGEXP =  "\\b([A-z0-9._%\\+\\-]+@[A-z0-9\\.\\-]+\\.[A-z]{2,4})\\b";
-    static Pattern regex_email = Pattern.compile(EMAIL_REGEXP);
-    static String repl_email = "<a href=\"mailto:$1\">$1</a>";
+    static String EMAIL_REGEXP =  "\\b(?<![A-z0-9._%\\+\\-=])([A-z][A-z0-9._%\\+\\-]+@[A-z0-9\\.\\-]+\\.[A-z]{2,4})";
+    static Pattern regex_email = Pattern.compile("\\b"+ EMAIL_REGEXP);
+    static String repl_email = "<a href=\"mailto:$1\">$1</a>$1";
     
     static Pattern regex_inlineImg = Pattern.compile("(?si)(<\\s*img\\s+.*?src=[\"'])cid:([^\"']+[\"'])");
     static String repl_inlineImg = "$1" + SConsts.HUPA + SConsts.SERVLET_DOWNLOAD 
@@ -266,8 +262,9 @@
     static Pattern regex_unneededTags = Pattern.compile("(?si)(</?(html|body)[^>]*?>)");
     static String repl_unneededTags = "";
 
-    static Pattern regex_badAttrs = Pattern.compile("(?si)(<)(\\w+)(\\s.+?)onClick=(\".+?\"|'.+?')(.*?</)(\\2)(\\s*>)");
-    static String repl_badAttrs = "$1$2$3 $5$6$7";
+    static String EVENT_ATTR_REGEX = "(?:on[dbl]*click)|(?:onmouse[a-z]+)|(?:onkey[a-z]+)";
+    static Pattern regex_badAttrs = Pattern.compile("(?si)(<\\w+[^<>]*)\\s+("+ EVENT_ATTR_REGEX
+ ")=[\"']?([^\\s<>]+?)[\"']?([\\s>])");
+    static String repl_badAttrs = "$1$4";
     
     static Pattern regex_orphandHttpLinks = Pattern.compile("(?si)(?!.*<a\\s?[^>]*?>.+</a\\s*>.*)(<[^<]*?>[^<>]*)"
+ HTML_LINK_REGEXP + "([^<>]*<[^>]*?>)");
     static String repl_orphandHttpLinks = "$1<a href=\"$2\">$2</a>$3";
@@ -281,8 +278,15 @@
     static Pattern regex_existingEmailLinks = Pattern.compile("(?si)<a\\s[^>]*?href=[\"']*mailto:[\"']?([^\"]+)[\"']?");
     static String repl_existngEmailLinks = "<a onClick=\"mailTo('$1');return false;\"
href=\"mailto:$1\"";
     
-    protected String replaceAll(String txt, Pattern pattern, String repl) {
-        return pattern.matcher(txt).replaceAll(repl);
+    
+    protected String replaceAll(String txt, Pattern pattern, String replacement) {
+        return pattern.matcher(txt).replaceAll(replacement);
+    }
+    
+    protected String replaceAllRecursive(String txt, Pattern pattern, String replacement)
{
+        while (pattern.matcher(txt).find())
+            txt = pattern.matcher(txt).replaceAll(replacement);
+        return txt;
     }
 
     protected String txtDocumentToHtml(String txt, String folderName, long uuid) {
@@ -321,7 +325,7 @@
         // Remove body and html tags
         html = replaceAll(html, regex_unneededTags, repl_unneededTags);
         // Remove all onClick attributes 
-        html = replaceAll(html, regex_badAttrs, repl_badAttrs);
+        html = replaceAllRecursive(html, regex_badAttrs, repl_badAttrs);
         // Add <a> tags to links which are not already into <a>
         html = replaceAll(html, regex_orphandHttpLinks, repl_orphandHttpLinks);
         // Add javascript method to <a> in order to open links in a different window

Modified: james/hupa/trunk/server/src/test/java/org/apache/hupa/server/handler/GetMessageDetailsHandlerTest.java
URL: http://svn.apache.org/viewvc/james/hupa/trunk/server/src/test/java/org/apache/hupa/server/handler/GetMessageDetailsHandlerTest.java?rev=836203&r1=836202&r2=836203&view=diff
==============================================================================
--- james/hupa/trunk/server/src/test/java/org/apache/hupa/server/handler/GetMessageDetailsHandlerTest.java
(original)
+++ james/hupa/trunk/server/src/test/java/org/apache/hupa/server/handler/GetMessageDetailsHandlerTest.java
Sat Nov 14 16:17:23 2009
@@ -42,9 +42,13 @@
 
     public void testRegexEmail() {
         String txt, res;
-        txt = "!aBcD091_%55-+.aa@abc01-01.dd-a.aBc+";
+        txt = "!'BcD091_%55-+.aa@abc01-01.dd-a.aBc+";
         res = handler.replaceAll(txt, GetMessageDetailsHandler.regex_email, "");
-        assertEquals("!+", res);
+        assertEquals("!'+", res);
+
+        txt = "!'=BcD091_%55-+.aa@abc01-01.dd-a.aBc+";
+        res = handler.replaceAll(txt, GetMessageDetailsHandler.regex_email, "");
+        assertEquals(txt, res);
     }
 
     public void testRegexInlineImg() {
@@ -61,6 +65,18 @@
         res = handler.replaceAll(res, GetMessageDetailsHandler.regex_unneededTags, GetMessageDetailsHandler.repl_unneededTags);
         assertEquals("...", res);
     }
+
+    public void testRegexBadAttributes() {
+
+        String txt, res;
+        txt = "... <div attr=a onClick=\"something('');\"> ...";
+        res = handler.replaceAllRecursive(txt, GetMessageDetailsHandler.regex_badAttrs, GetMessageDetailsHandler.repl_badAttrs);
+        assertEquals("... <div attr=a> ...", res);
+
+        txt = "... <div attr=a onClick=\"something('');\" attr=b onMouseOver=whatever
attr=c onKeyup=\"\" /> ...";
+        res = handler.replaceAllRecursive(txt, GetMessageDetailsHandler.regex_badAttrs, GetMessageDetailsHandler.repl_badAttrs);
+        assertEquals("... <div attr=a attr=b attr=c /> ...", res);
+    }
     
     public void testRegexHtmlLinks() {
         String txt, res;
@@ -185,6 +201,12 @@
         res = handler.filterHtmlDocument(msg, "aFolder", 9999l);
         assertFalse(res.contains("mailTo("));
         assertTrue(res.contains("openLink("));
+        
+        msg = "http://accounts.myspace.com.deaaaf.me.uk/msp/index.php?fuseaction=update&code=78E2BL6-EKY5L893K4MHSA-74ESO-D743U41GYB18J-FA18EI698V4M&email=somehone@somewere.com";
+        res = handler.txtDocumentToHtml(msg, "aFolder", 9999l);
+        assertFalse(res.contains("mailTo("));
+        assertTrue(res.contains("openLink("));
+        
     }
 
 	private MessageDetails loadMessageDetails(String msgFile) throws Exception {

Modified: james/hupa/trunk/server/src/test/java/org/apache/hupa/server/servlet/DownloadAttachmentServletTest.java
URL: http://svn.apache.org/viewvc/james/hupa/trunk/server/src/test/java/org/apache/hupa/server/servlet/DownloadAttachmentServletTest.java?rev=836203&r1=836202&r2=836203&view=diff
==============================================================================
--- james/hupa/trunk/server/src/test/java/org/apache/hupa/server/servlet/DownloadAttachmentServletTest.java
(original)
+++ james/hupa/trunk/server/src/test/java/org/apache/hupa/server/servlet/DownloadAttachmentServletTest.java
Sat Nov 14 16:17:23 2009
@@ -19,7 +19,6 @@
 		Part part = DownloadAttachmentServlet.handleMultiPart(message
 		        .getContent(), "1.1934304663@web28309.mail.ukl.yahoo.com");
 		assertNotNull(part);
-		System.out.println(part.getContentType());
 	}
 
 }



---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message