svn commit: r1648298 - in /ofbiz/trunk: applications/content/src/org/o
Locked
svn commit: r1648298 - in /ofbiz/trunk: applications/content/src/org/o
 
|
Author: jacopoc
Date: Mon Dec 29 09:24:46 2014 New Revision: 1648298 URL: http://svn.apache.org/r1648298 Log: A series of cleanup to the integration with OWASP ESAPI. Isolated dependencies on the external OWASP ESAPI jar into the StringUtil class. Modified: ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java Modified: ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java?rev=1648298&r1=1648297&r2=1648298&view=diff ============================================================================== --- ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java (original) +++ ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java Mon Dec 29 09:24:46 2014 @@ -39,7 +39,6 @@ import org.ofbiz.entity.Delegator; import org.ofbiz.entity.GenericValue; import org.ofbiz.entity.util.EntityQuery; import org.ofbiz.webapp.control.ContextFilter; -import org.owasp.esapi.errors.EncodingException; public class ContentUrlFilter extends ContextFilter { public final static String module = ContentUrlFilter.class.getName(); @@ -118,14 +117,10 @@ public class ContentUrlFilter extends Co .queryFirst(); if (contentAssocDataResource != null) { url = contentAssocDataResource.getString("drObjectInfo"); - try { - url = StringUtil.defaultWebEncoder.decodeFromURL(url); - String mountPoint = request.getContextPath(); - if (!(mountPoint.equals("/")) && !(mountPoint.equals(""))) { - url = mountPoint + url; - } - } catch (EncodingException e) { - Debug.logError(e, module); + url = StringUtil.getDecoder("url").decode(url); + String mountPoint = request.getContextPath(); + if (!(mountPoint.equals("/")) && !(mountPoint.equals(""))) { + url = mountPoint + url; } } } catch (Exception e) { Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java?rev=1648298&r1=1648297&r2=1648298&view=diff ============================================================================== --- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java (original) +++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java Mon Dec 29 09:24:46 2014 @@ -36,14 +36,12 @@ import java.util.regex.Pattern; import org.apache.commons.codec.DecoderException; import org.apache.commons.codec.binary.Hex; import org.ofbiz.base.lang.Appender; -import org.owasp.esapi.ValidationErrorList; -import org.owasp.esapi.Validator; import org.owasp.esapi.codecs.Codec; import org.owasp.esapi.codecs.HTMLEntityCodec; import org.owasp.esapi.codecs.PercentCodec; +import org.owasp.esapi.errors.EncodingException; import org.owasp.esapi.errors.IntrusionException; import org.owasp.esapi.reference.DefaultEncoder; -import org.owasp.esapi.reference.DefaultValidator; /** * Misc String Utility Functions @@ -56,15 +54,11 @@ public class StringUtil { // FIXME: Not thread safe protected static final Map<String, Pattern> substitutionPatternMap; - /** OWASP ESAPI canonicalize strict flag; setting false so we only get warnings about double encoding, etc; can be set to true for exceptions and more security */ - public static final boolean esapiCanonicalizeStrict = false; - public static final DefaultEncoder defaultWebEncoder; - public static final Validator defaultWebValidator; + private static final DefaultEncoder defaultWebEncoder; static { // possible codecs: CSSCodec, HTMLEntityCodec, JavaScriptCodec, MySQLCodec, OracleCodec, PercentCodec, UnixCodec, VBScriptCodec, WindowsCodec List<Codec> codecList = Arrays.asList(new HTMLEntityCodec(), new PercentCodec()); defaultWebEncoder = new DefaultEncoder(codecList); - defaultWebValidator = new DefaultValidator(); substitutionPatternMap = new HashMap<String, Pattern>(); substitutionPatternMap.put("&&", Pattern.compile("@and", Pattern.LITERAL)); substitutionPatternMap.put("||", Pattern.compile("@or", Pattern.LITERAL)); @@ -74,9 +68,10 @@ public class StringUtil { substitutionPatternMap.put(">", Pattern.compile("@gt", Pattern.LITERAL)); } - public static final SimpleEncoder htmlEncoder = new HtmlEncoder(); - public static final SimpleEncoder xmlEncoder = new XmlEncoder(); - public static final SimpleEncoder stringEncoder = new StringEncoder(); + private static final HtmlEncoder htmlEncoder = new HtmlEncoder(); + private static final XmlEncoder xmlEncoder = new XmlEncoder(); + private static final StringEncoder stringEncoder = new StringEncoder(); + private static final UrlEncoder urlEncoder = new UrlEncoder(); private StringUtil() { } @@ -85,6 +80,10 @@ public class StringUtil { public String encode(String original); } + public static interface SimpleDecoder { + public String decode(String original); + } + public static class HtmlEncoder implements SimpleEncoder { public String encode(String original) { return StringUtil.defaultWebEncoder.encodeForHTML(original); @@ -97,6 +96,26 @@ public class StringUtil { } } + public static class UrlEncoder implements SimpleEncoder, SimpleDecoder { + public String encode(String original) { + try { + return StringUtil.defaultWebEncoder.encodeForURL(original); + } catch (EncodingException ee) { + Debug.logError(ee, module); + return null; + } + } + + public String decode(String original) { + try { + return StringUtil.defaultWebEncoder.decodeFromURL(original); + } catch (EncodingException ee) { + Debug.logError(ee, module); + return null; + } + } + } + public static class StringEncoder implements SimpleEncoder { public String encode(String original) { if (original != null) { @@ -109,7 +128,9 @@ public class StringUtil { // ================== Begin General Functions ================== public static SimpleEncoder getEncoder(String type) { - if ("xml".equals(type)) { + if ("url".equals(type)) { + return StringUtil.urlEncoder; + } else if ("xml".equals(type)) { return StringUtil.xmlEncoder; } else if ("html".equals(type)) { return StringUtil.htmlEncoder; @@ -120,6 +141,14 @@ public class StringUtil { } } + public static SimpleDecoder getDecoder(String type) { + if ("url".equals(type)) { + return StringUtil.urlEncoder; + } else { + return null; + } + } + public static String internString(String value) { return value != null ? value.intern() : null; } @@ -594,6 +623,13 @@ public class StringUtil { return result; } + public static String canonicalize(String value) throws IntrusionException { + return defaultWebEncoder.canonicalize(value); + } + + public static String canonicalize(String value, boolean strict) throws IntrusionException { + return defaultWebEncoder.canonicalize(value, strict); + } /** * Uses a black-list approach for necessary characters for HTML. * Does not allow various characters (after canonicalization), including "<", ">", "&" (if not followed by a space), and "%" (if not followed by a space). @@ -606,7 +642,7 @@ public class StringUtil { // canonicalize, strict (error on double-encoding) try { - value = defaultWebEncoder.canonicalize(value, true); + value = canonicalize(value, true); } catch (IntrusionException e) { // NOTE: using different log and user targeted error messages to allow the end-user message to be less technical Debug.logError("Canonicalization (format consistency, character escaping that is mixed or double, etc) error for attribute named [" + valueName + "], String [" + value + "]: " + e.toString(), module); @@ -651,21 +687,6 @@ public class StringUtil { return value; } - /** - * Uses a white-list approach to check for safe HTML. - * Based on the ESAPI validator configured in the antisamy-esapi.xml file. - * - * @param value - * @param errorMessageList - * @return String with updated value if needed for safer HTML. - */ - public static String checkStringForHtmlSafeOnly(String valueName, String value, List<String> errorMessageList) { - ValidationErrorList vel = new ValidationErrorList(); - value = defaultWebValidator.getValidSafeHTML(valueName, value, Integer.MAX_VALUE, true, vel); - errorMessageList.addAll(UtilGenerics.checkList(vel.errors(), String.class)); - return value; - } - /** * Remove/collapse multiple newline characters * Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java?rev=1648298&r1=1648297&r2=1648298&view=diff ============================================================================== --- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java (original) +++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java Mon Dec 29 09:24:46 2014 @@ -53,8 +53,6 @@ import org.apache.oro.text.regex.Malform import org.apache.oro.text.regex.Pattern; import org.apache.oro.text.regex.PatternMatcher; import org.apache.oro.text.regex.Perl5Matcher; -import org.owasp.esapi.errors.EncodingException; -import org.owasp.esapi.errors.IntrusionException; import com.ibm.icu.util.Calendar; @@ -251,10 +249,11 @@ public class UtilHttp { public static String canonicalizeParameter(String paramValue) { try { - String cannedStr = StringUtil.defaultWebEncoder.canonicalize(paramValue, StringUtil.esapiCanonicalizeStrict); + /** calling canonicalize with strict flag set to false so we only get warnings about double encoding, etc; can be set to true for exceptions and more security */ + String cannedStr = StringUtil.canonicalize(paramValue, false); if (Debug.verboseOn()) Debug.logVerbose("Canonicalized parameter with " + (cannedStr.equals(paramValue) ? "no " : "") + "change: original [" + paramValue + "] canned [" + cannedStr + "]", module); return cannedStr; - } catch (IntrusionException e) { + } catch (Exception e) { Debug.logError(e, "Error in canonicalize parameter value [" + paramValue + "]: " + e.toString(), module); return paramValue; } @@ -791,22 +790,14 @@ public class UtilHttp { buf.append("&"); } } - try { - buf.append(StringUtil.defaultWebEncoder.encodeForURL(name)); - } catch (EncodingException e) { - Debug.logError(e, module); - } + buf.append(StringUtil.getEncoder("url").encode(name)); /* the old way: try { buf.append(URLEncoder.encode(name, "UTF-8")); } catch (UnsupportedEncodingException e) { Debug.logError(e, module); } */ buf.append('='); - try { - buf.append(StringUtil.defaultWebEncoder.encodeForURL(valueStr)); - } catch (EncodingException e) { - Debug.logError(e, module); - } + buf.append(StringUtil.getEncoder("url").encode(valueStr)); /* the old way: try { buf.append(URLEncoder.encode(valueStr, "UTF-8")); } catch (UnsupportedEncodingException e) { Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java?rev=1648298&r1=1648297&r2=1648298&view=diff ============================================================================== --- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java (original) +++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java Mon Dec 29 09:24:46 2014 @@ -303,9 +303,6 @@ public class StringUtilTests extends Gen checkStringForHtmlStrictNone_test("double-encoding", "%2%353Cscript", "%2%353Cscript", "In field [double-encoding] found character escaping (mixed or double) that is not allowed or other format consistency error: org.owasp.esapi.errors.IntrusionException: Input validation failure"); } - public void testCheckStringForHtmlSafeOnly() { - } - public void testCollapseNewlines() { } Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java?rev=1648298&r1=1648297&r2=1648298&view=diff ============================================================================== --- ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java (original) +++ ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java Mon Dec 29 09:24:46 2014 @@ -64,7 +64,6 @@ import org.ofbiz.service.ModelService; import org.ofbiz.service.ServiceSynchronization; import org.ofbiz.service.ServiceUtil; import org.ofbiz.service.mail.MimeMessageWrapper; -import org.owasp.esapi.errors.EncodingException; /** * Common Services @@ -539,17 +538,15 @@ public class CommonServices { } public static Map<String, Object> resetMetric(DispatchContext dctx, Map<String, ?> context) { - String name = (String) context.get("name"); - try { - name = StringUtil.defaultWebEncoder.decodeFromURL(name); - } catch (EncodingException e) { - return ServiceUtil.returnError("Exception thrown while decoding metric name \"" + name + "\""); + String originalName = (String) context.get("name"); + String name = StringUtil.getDecoder("url").decode(originalName); + if (name == null) { + return ServiceUtil.returnError("Exception thrown while decoding metric name \"" + originalName + "\""); } Metrics metric = MetricsFactory.getMetric(name); if (metric != null) { metric.reset(); return ServiceUtil.returnSuccess(); - } return ServiceUtil.returnError("Metric \"" + name + "\" not found."); } Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1648298&r1=1648297&r2=1648298&view=diff ============================================================================== --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original) +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Mon Dec 29 09:24:46 2014 @@ -62,7 +62,6 @@ import org.ofbiz.webapp.view.ViewHandler import org.ofbiz.webapp.view.ViewHandlerException; import org.ofbiz.webapp.website.WebSiteProperties; import org.ofbiz.webapp.website.WebSiteWorker; -import org.owasp.esapi.errors.EncodingException; import org.python.modules.re; /** @@ -1116,13 +1115,11 @@ public class RequestHandler { if (queryString.length() > 1) { queryString.append("&"); } - - try { - queryString.append(StringUtil.defaultWebEncoder.encodeForURL(name)); + String encodedName = StringUtil.getEncoder("url").encode(name); + if (encodedName != null) { + queryString.append(encodedName); queryString.append("="); - queryString.append(StringUtil.defaultWebEncoder.encodeForURL(value)); - } catch (EncodingException e) { - Debug.logError(e, module); + queryString.append(StringUtil.getEncoder("url").encode(value)); } } } Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java?rev=1648298&r1=1648297&r2=1648298&view=diff ============================================================================== --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java (original) +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java Mon Dec 29 09:24:46 2014 @@ -28,7 +28,6 @@ import org.ofbiz.base.util.Debug; import org.ofbiz.base.util.StringUtil; import org.ofbiz.base.util.UtilValidate; import org.ofbiz.webapp.taglib.ContentUrlTag; -import org.owasp.esapi.errors.EncodingException; import freemarker.core.Environment; import freemarker.ext.beans.BeanModel; @@ -93,11 +92,7 @@ public class OfbizContentTransform imple return; } - try { - requestUrl = StringUtil.defaultWebEncoder.decodeFromURL(requestUrl); - } catch (EncodingException e) { - Debug.logError(e, module); - } + requestUrl = StringUtil.getDecoder("url").decode(requestUrl); // make the link StringBuilder newURL = new StringBuilder(); Modified: ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java?rev=1648298&r1=1648297&r2=1648298&view=diff ============================================================================== --- ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java (original) +++ ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java Mon Dec 29 09:24:46 2014 @@ -40,7 +40,6 @@ import org.ofbiz.base.util.GeneralExcept import org.ofbiz.base.util.StringUtil; import org.ofbiz.base.util.UtilValidate; import org.ofbiz.base.util.UtilXml; -import org.owasp.esapi.errors.EncodingException; import org.w3c.dom.Comment; import org.w3c.dom.Document; import org.w3c.dom.Element; @@ -103,7 +102,7 @@ public class LabelManagerFactory { } } - public void findMatchingLabels(String component, String fileName, String key, String locale) throws MalformedURLException, SAXException, ParserConfigurationException, IOException, EncodingException, GeneralException { + public void findMatchingLabels(String component, String fileName, String key, String locale) throws MalformedURLException, SAXException, ParserConfigurationException, IOException, GeneralException { if (UtilValidate.isEmpty(component) && UtilValidate.isEmpty(fileName) && UtilValidate.isEmpty(key) && UtilValidate.isEmpty(locale)) { // Important! Don't allow unparameterized queries - doing so will result in loading the entire project into memory return; @@ -124,7 +123,7 @@ public class LabelManagerFactory { for (Node propertyNode : UtilXml.childNodeList(resourceElem.getFirstChild())) { if (propertyNode instanceof Element) { Element propertyElem = (Element) propertyNode; - String labelKey = StringUtil.defaultWebEncoder.canonicalize(propertyElem.getAttribute("key")); + String labelKey = StringUtil.canonicalize(propertyElem.getAttribute("key")); String labelComment = ""; for (Node valueNode : UtilXml.childNodeList(propertyElem.getFirstChild())) { if (valueNode instanceof Element) { @@ -135,7 +134,7 @@ public class LabelManagerFactory { if( localeName.contains("_")) { localeName = localeName.replace('_', '-'); } - String labelValue = StringUtil.defaultWebEncoder.canonicalize(UtilXml.nodeValue(valueElem.getFirstChild())); + String labelValue = StringUtil.canonicalize(UtilXml.nodeValue(valueElem.getFirstChild())); LabelInfo label = labels.get(labelKey + keySeparator + fileInfo.getFileName()); if (UtilValidate.isEmpty(label)) { @@ -149,12 +148,12 @@ public class LabelManagerFactory { localesFound.add(localeName); labelComment = ""; } else if (valueNode instanceof Comment) { - labelComment = labelComment + StringUtil.defaultWebEncoder.canonicalize(valueNode.getNodeValue()); + labelComment = labelComment + StringUtil.canonicalize(valueNode.getNodeValue()); } } labelKeyComment = ""; } else if (propertyNode instanceof Comment) { - labelKeyComment = labelKeyComment + StringUtil.defaultWebEncoder.canonicalize(propertyNode.getNodeValue()); + labelKeyComment = labelKeyComment + StringUtil.canonicalize(propertyNode.getNodeValue()); } } } Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java?rev=1648298&r1=1648297&r2=1648298&view=diff ============================================================================== --- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java (original) +++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java Mon Dec 29 09:24:46 2014 @@ -71,7 +71,7 @@ public class WidgetWorker { // We may get an encoded request like: /projectmgr/control/EditTaskContents?workEffortId=10003 // Try to reducing a possibly encoded string down to its simplest form: /projectmgr/control/EditTaskContents?workEffortId=10003 // This step make sure the following appending externalLoginKey operation to work correctly - localRequestName = StringUtil.defaultWebEncoder.canonicalize(localRequestName); + localRequestName = StringUtil.canonicalize(localRequestName); Appendable localWriter = new StringWriter(); if ("intra-app".equals(targetType)) { @@ -300,7 +300,7 @@ public class WidgetWorker { writer.append("<input name=\""); writer.append(parameter.getKey()); writer.append("\" value=\""); - writer.append(StringUtil.htmlEncoder.encode(parameter.getValue())); + writer.append(StringUtil.getEncoder("html").encode(parameter.getValue())); writer.append("\" type=\"hidden\"/>"); } } Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java?rev=1648298&r1=1648297&r2=1648298&view=diff ============================================================================== --- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java (original) +++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java Mon Dec 29 09:24:46 2014 @@ -3088,7 +3088,7 @@ public final class MacroFormRenderer imp parameters.append(parameter.getName()); parameters.append("'"); parameters.append(",'value':'"); - parameters.append(StringUtil.htmlEncoder.encode(parameter.getValue(context))); + parameters.append(StringUtil.getEncoder("html").encode(parameter.getValue(context))); parameters.append("'}"); } parameters.append("]"); Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java?rev=1648298&r1=1648297&r2=1648298&view=diff ============================================================================== --- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java (original) +++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java Mon Dec 29 09:24:46 2014 @@ -88,7 +88,7 @@ public class HtmlWidget extends ModelScr } @Override public String getAsString() { - return StringUtil.htmlEncoder.encode(super.getAsString()); + return StringUtil.getEncoder("html").encode(super.getAsString()); } } @@ -100,7 +100,7 @@ public class HtmlWidget extends ModelScr @Override public String getAsString() { - return StringUtil.htmlEncoder.encode(super.getAsString()); + return StringUtil.getEncoder("html").encode(super.getAsString()); } } |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |