OFBiz › OFBiz - Commits

svn commit: r741478 - in /ofbiz/trunk/framework: base/src/org/ofbiz/base/util/UtilHttp.java webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jonesde

svn commit: r741478 - in /ofbiz/trunk/framework: base/src/org/ofbiz/base/util/UtilHttp.java webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java

Author: jonesde
Date: Fri Feb 6 09:05:50 2009
New Revision: 741478

URL: http://svn.apache.org/viewvc?rev=741478&view=rev
Log:
Some refactoring of canonicalize feature, also change ServiceEventHandler to use UtilHttp stuff for parameters so this and other things take effect there

Modified:
ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java

Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java?rev=741478&r1=741477&r2=741478&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java (original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java Fri Feb 6 09:05:50 2009
@@ -51,12 +51,18 @@
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

-import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.errors.EncodingException;
-
import javolution.util.FastList;
import javolution.util.FastMap;

+import org.owasp.esapi.Encoder;
+import org.owasp.esapi.codecs.CSSCodec;
+import org.owasp.esapi.codecs.Codec;
+import org.owasp.esapi.codecs.HTMLEntityCodec;
+import org.owasp.esapi.codecs.JavaScriptCodec;
+import org.owasp.esapi.codecs.PercentCodec;
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.reference.DefaultEncoder;
+
/**
* HttpUtil - Misc HTTP Utility Functions
*/
@@ -66,7 +72,13 @@

/** OWASP ESAPI canonicalize strict flag; setting false so we only get warnings about double encoding, etc; can be set to true for exceptions and more security */
public static final boolean esapiCanonicalizeStrict = false;
-
+ public static final Encoder defaultWebEncoder;
+ static {
+ // possible codecs: CSSCodec, HTMLEntityCodec, JavaScriptCodec, MySQLCodec, OracleCodec, PercentCodec, UnixCodec, VBScriptCodec, WindowsCodec
+ List<Codec> codecList = Arrays.asList(new CSSCodec(), new HTMLEntityCodec(), new JavaScriptCodec(), new PercentCodec());
+ defaultWebEncoder = new DefaultEncoder( codecList );
+ }
+
public static final String MULTI_ROW_DELIMITER = "_o_";
public static final String ROW_SUBMIT_PREFIX = "_rowSubmit_o_";
public static final String COMPOSITE_DELIMITER = "_c_";
@@ -237,29 +249,28 @@
public static Map<String, Object> canonicalizeParameterMap(Map<String, Object> paramMap) {
for (Map.Entry<String, Object> paramEntry: paramMap.entrySet()) {
if (paramEntry.getValue() instanceof String) {
- try {
- String cannedStr = ESAPI.encoder().canonicalize((String) paramEntry.getValue(), esapiCanonicalizeStrict);
- paramEntry.setValue(cannedStr);
- } catch (EncodingException e) {
- Debug.logError(e, "Error in canonicalize parameter with name [" + paramEntry.getKey() + "], value [" + paramEntry.getValue() + "]: " + e.toString(), module);
- }
+ paramEntry.setValue(canonicalizeParameter((String) paramEntry.getValue()));
} else if (paramEntry.getValue() instanceof Collection) {
List<String> newList = FastList.newInstance();
for (String listEntry: ((Collection<String>) paramEntry.getValue())) {
- try {
- String cannedStr = ESAPI.encoder().canonicalize(listEntry, esapiCanonicalizeStrict);
- newList.add(cannedStr);
- } catch (EncodingException e) {
- // add the original value and log the error, a soft fail for now
- newList.add(listEntry);
- Debug.logError(e, "Error in canonicalize parameter with name [" + paramEntry.getKey() + "], value [" + listEntry + "]: " + e.toString(), module);
- }
+ newList.add(canonicalizeParameter((String) paramEntry.getValue()));
}
paramEntry.setValue(newList);
}
}
return paramMap;
}
+
+ public static String canonicalizeParameter(String paramValue) {
+ try {
+ String cannedStr = defaultWebEncoder.canonicalize(paramValue, esapiCanonicalizeStrict);
+ if (Debug.verboseOn()) Debug.logVerbose("Canonicalized parameter with " + (cannedStr.equals(paramValue) ? "no " : "") + "change: original [" + paramValue + "] canned [" + cannedStr + "]", module);
+ return cannedStr;
+ } catch (EncodingException e) {
+ Debug.logError(e, "Error in canonicalize parameter value [" + paramValue + "]: " + e.toString(), module);
+ return paramValue;
+ }
+ }

/**
* Create a map from a HttpRequest (attributes) object

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java?rev=741478&r1=741477&r2=741478&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java Fri Feb 6 09:05:50 2009
@@ -18,15 +18,17 @@
*******************************************************************************/
package org.ofbiz.webapp.event;

+import static org.ofbiz.base.util.UtilGenerics.checkList;
+
import java.io.File;
import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.Iterator;
-import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.TimeZone;
+
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -39,9 +41,7 @@
import org.apache.commons.fileupload.FileUploadException;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
-
import org.ofbiz.base.util.Debug;
-import static org.ofbiz.base.util.UtilGenerics.checkList;
import org.ofbiz.base.util.UtilHttp;
import org.ofbiz.base.util.UtilProperties;
import org.ofbiz.base.util.UtilValidate;
@@ -226,6 +226,8 @@
// store the multi-part map as an attribute so we can access the parameters
request.setAttribute("multiPartMap", multiPartMap);

+ Map<String, Object> rawParametersMap = UtilHttp.getParameterMap(request, null, null);
+
// we have a service and the model; build the context
Map<String, Object> serviceContext = FastMap.newInstance();
for (ModelParam modelParam: model.getInModelParamList()) {
@@ -260,15 +262,9 @@

// check the request parameters
if (UtilValidate.isEmpty(value)) {
- // normal parameter data, which can either be a single value or an array of values
- String[] paramArr = request.getParameterValues(name);
- if (paramArr != null) {
- if (paramArr.length > 1) {
- value = Arrays.asList(paramArr);
- } else {
- value = paramArr[0];
- }
- }
+ // use the rawParametersMap from UtilHttp in order to also get pathInfo parameters, do canonicalization, etc
+ value = rawParametersMap.get(name);
+
// make any composite parameter data (e.g., from a set of parameters {name_c_date, name_c_hour, name_c_minutes})
if (value == null) {
value = UtilHttp.makeParamValueFromComposite(request, name, locale);