james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From man...@apache.org
Subject svn commit: r1373762 - in /james/hupa/trunk: client/src/main/java/org/apache/hupa/client/ client/src/main/java/org/apache/hupa/client/mvp/ server/src/main/java/org/apache/hupa/server/handler/ server/src/main/java/org/apache/hupa/server/utils/ server/sr...
Date Thu, 16 Aug 2012 09:15:19 GMT
Author: manolo
Date: Thu Aug 16 09:15:19 2012
New Revision: 1373762

URL: http://svn.apache.org/viewvc?rev=1373762&view=rev
Log:
Fix XSS vulnerability in message list and view

Modified:
    james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java
    james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java
    james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java
    james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java
    james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java

Modified: james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java
URL: http://svn.apache.org/viewvc/james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java?rev=1373762&r1=1373761&r2=1373762&view=diff
==============================================================================
--- james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java (original)
+++ james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java Thu Aug
16 09:15:19 2012
@@ -117,5 +117,6 @@ public abstract class HupaCallback<T> im
      */
     public void callbackError(Throwable caught) {
         System.out.println("HupaCallBack Error: " + caught);
+        caught.printStackTrace();
     }
 }

Modified: james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java
URL: http://svn.apache.org/viewvc/james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java?rev=1373762&r1=1373761&r2=1373762&view=diff
==============================================================================
--- james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java
(original)
+++ james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java
Thu Aug 16 09:15:19 2012
@@ -363,7 +363,7 @@ public class IMAPMessageListView extends
                     dtformat = DateTimeFormat.getFormat("dd.MMM.yyyy HH:mm");
                 }
             
-                view.setHTML(dtformat.format(rDate));
+                view.setText(dtformat.format(rDate));
                 view.setHorizontalAlignment(HorizontalPanel.ALIGN_RIGHT);
             }
             
@@ -528,7 +528,7 @@ public class IMAPMessageListView extends
             if (cellValue == null || cellValue.length() < 1) {
                 view.setHTML("&nbsp");
             } else {
-                view.setHTML(cellValue);
+                view.setText(cellValue);
             }
         }
 
@@ -791,6 +791,7 @@ public class IMAPMessageListView extends
     }
 
     public void setExpandLoading(boolean expanding) {
+        System.out.println("SSS " + expanding);
         if (expanding) {
             loading.show();
         } else {

Modified: james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java
URL: http://svn.apache.org/viewvc/james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java?rev=1373762&r1=1373761&r2=1373762&view=diff
==============================================================================
--- james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java
(original)
+++ james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java
Thu Aug 16 09:15:19 2012
@@ -137,8 +137,6 @@ public class GetMessageDetailsHandler ex
         
         boolean isHTML = handleParts(message, con, sbPlain, attachmentList);
         
-        System.out.println(isHTML);
-        
         if (isHTML) {
             mDetails.setText(filterHtmlDocument(sbPlain.toString(), folderName, uid));
         } else {

Modified: james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java
URL: http://svn.apache.org/viewvc/james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java?rev=1373762&r1=1373761&r2=1373762&view=diff
==============================================================================
--- james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java
(original)
+++ james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java
Thu Aug 16 09:15:19 2012
@@ -60,9 +60,9 @@ public class RegexPatterns {
     
     public static final Pattern regex_unneededTags = Pattern.compile("(?si)(</?(html|body)[^>]*?>)");
     public static final String repl_unneededTags = "";
-    
-    public static final String EVENT_ATTR_REGEX = "(?:on[dbl]*click)|(?:onmouse[a-z]+)|(?:onkey[a-z]+)";
-    public static final Pattern regex_badAttrs = Pattern.compile("(?si)(<\\w+[^<>]*)\\s+("+
EVENT_ATTR_REGEX + ")=[\"']?([^\\s<>]+?)[\"']?([\\s>])");
+
+    public static final String EVENT_ATTR_REGEX = "(?:on[a-z]+)";
+    public static final Pattern regex_badAttrs = Pattern.compile("(?si)(<\\w+[^<>]*)(?:[\"']|\\s+)("+
EVENT_ATTR_REGEX + ")=[\"']?([^\\s<>]+?)[\"']?([\\s>])");
     public static final String repl_badAttrs = "$1$4";
     
     public static final Pattern regex_orphandHttpLinks = Pattern.compile("(?si)(?!.*<a\\s?[^>]*?>.+</a\\s*>.*)(<[^<]*?>[^<>]*)"
+ HTML_LINK_REGEXP + "([^<>]*<[^>]*?>)");

Modified: james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java
URL: http://svn.apache.org/viewvc/james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java?rev=1373762&r1=1373761&r2=1373762&view=diff
==============================================================================
--- james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java
(original)
+++ james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java
Thu Aug 16 09:15:19 2012
@@ -85,6 +85,15 @@ public class RegexPatternsTest extends T
         txt = "... <div attr=a onClick=\"something('');\" attr=b onMouseOver=whatever
attr=c onKeyup=\"\" /> ...";
         res = RegexPatterns.replaceAllRecursive(txt, RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs);
         assertEquals("... <div attr=a attr=b attr=c /> ...", res);
+        
+        
+        txt = "... <img src='1.jpg' onerror=javascript:alert(\"img-onerror-javascript:XSS\")>
...";
+        res = RegexPatterns.replaceAllRecursive(txt, RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs);
+        assertEquals("... <img src='1.jpg'> ...", res);
+
+        txt = "... <img src=\"1.jpg\" onerror=javascript:alert(\"img-onerror-javascript:XSS\")>
...";
+        res = RegexPatterns.replaceAllRecursive(txt, RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs);
+        assertEquals("... <img src=\"1.jpg\"> ...", res);
     }
     
     public void testRegexHtmlLinks() {



---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message