This is an automated email from the ASF dual-hosted git repository. mbien pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/roller.git
commit 2c68105e781492236857ef45e6960bb7736e0d45 Author: Michael Bien <[email protected]> AuthorDate: Tue May 18 03:08:41 2021 +0200 OpenSearchServlet input validation. --- .../ui/rendering/servlets/FeedServlet.java | 2 +- .../webservices/opensearch/OpenSearchServlet.java | 66 +++++++++++----------- 2 files changed, 35 insertions(+), 33 deletions(-) diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/FeedServlet.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/FeedServlet.java index e9fbda1..c05bdfd 100644 --- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/FeedServlet.java +++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/FeedServlet.java @@ -55,7 +55,7 @@ import org.apache.roller.weblogger.ui.rendering.util.ModDateHeaderUtil; */ public class FeedServlet extends HttpServlet { - private static Log log = LogFactory.getLog(FeedServlet.class); + private static final Log log = LogFactory.getLog(FeedServlet.class); private WeblogFeedCache weblogFeedCache = null; private SiteWideCache siteWideCache = null; diff --git a/app/src/main/java/org/apache/roller/weblogger/webservices/opensearch/OpenSearchServlet.java b/app/src/main/java/org/apache/roller/weblogger/webservices/opensearch/OpenSearchServlet.java index 9d31a97..fe8e7b5 100644 --- a/app/src/main/java/org/apache/roller/weblogger/webservices/opensearch/OpenSearchServlet.java +++ b/app/src/main/java/org/apache/roller/weblogger/webservices/opensearch/OpenSearchServlet.java @@ -23,7 +23,7 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.apache.commons.text.StringEscapeUtils; +import org.apache.commons.lang3.StringUtils; import org.apache.roller.weblogger.WebloggerException; import org.apache.roller.weblogger.business.URLStrategy; import org.apache.roller.weblogger.business.WebloggerFactory; @@ -31,10 +31,11 @@ import org.apache.roller.weblogger.config.WebloggerRuntimeConfig; import org.apache.roller.weblogger.pojos.Weblog; import org.apache.roller.weblogger.util.Utilities; +import static org.apache.commons.text.StringEscapeUtils.escapeXml11; /** * Return OpenSearch descriptor that describes Roller's search facilities. - * For more informaton see the + * For more information see the * <a href="http://cwiki.apache.org/confluence/display/ROLLER/Proposal+OpenSearch";>OpenSearch proposal</a>. * @author Dave Johnson (<a href="mailto:[email protected]";>[email protected]</a>) */ @@ -46,18 +47,19 @@ public class OpenSearchServlet extends HttpServlet { throws ServletException, IOException { String[] pathInfo = new String[0]; - String handle = null; // Will return descriptor for searching specified blog if (request.getPathInfo() != null) { pathInfo = Utilities.stringToStringArray(request.getPathInfo(), "/"); } + String handle; + if (pathInfo.length == 0) { // URL format: [context]/roller-services/opensearch handle = WebloggerRuntimeConfig.getProperty("site.frontpage.weblog.handle"); - } else if (pathInfo.length == 1) { + } else if (pathInfo.length == 1 && StringUtils.isAlphanumeric(pathInfo[0])) { // URL format: [context]/roller-services/opensearch/[weblog-handle] handle = pathInfo[0]; @@ -65,43 +67,44 @@ public class OpenSearchServlet extends HttpServlet { response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Malformed URL"); return; } - - String shortName = null; - String description = null; - String contact = null; - String searchFeed = null; - String searchPage = null; - URLStrategy strat = WebloggerFactory.getWeblogger().getUrlStrategy(); - Weblog weblog = null; + Weblog weblog; + try { weblog = WebloggerFactory.getWeblogger().getWeblogManager().getWeblogByHandle(handle); + if (weblog == null) { + response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Weblog not found"); + return; + } } catch (WebloggerException ex) { - throw new ServletException("ERROR: fetching specified weblog"); + throw new ServletException("ERROR: fetching specified weblog", ex); } - searchPage = StringEscapeUtils.escapeXml11( - strat.getWeblogSearchPageURLTemplate(weblog)); - searchFeed = StringEscapeUtils.escapeXml11( - strat.getWeblogSearchFeedURLTemplate(weblog)); - boolean siteWide = WebloggerRuntimeConfig.isSiteWideWeblog(handle); - if (siteWide) { - shortName = "[Search Descriptor] " + StringEscapeUtils.escapeXml11( - WebloggerRuntimeConfig.getProperty("site.shortName")); - description = StringEscapeUtils.escapeXml11( - WebloggerRuntimeConfig.getProperty("site.description")); - contact = StringEscapeUtils.escapeXml11( - WebloggerRuntimeConfig.getProperty("site.adminemail")); - + String shortName; + String description; + String contact; + String searchFeed; + String searchPage; + + URLStrategy strat = WebloggerFactory.getWeblogger().getUrlStrategy(); + searchPage = escapeXml11(strat.getWeblogSearchPageURLTemplate(weblog)); + searchFeed = escapeXml11(strat.getWeblogSearchFeedURLTemplate(weblog)); + + if (WebloggerRuntimeConfig.isSiteWideWeblog(handle)) { + + shortName = "[Search Descriptor] " + escapeXml11(WebloggerRuntimeConfig.getProperty("site.shortName")); + description = escapeXml11(WebloggerRuntimeConfig.getProperty("site.description")); + contact = escapeXml11(WebloggerRuntimeConfig.getProperty("site.adminemail")); + } else { - shortName = StringEscapeUtils.escapeXml11(weblog.getName()); - description = StringEscapeUtils.escapeXml11(weblog.getTagline()); - contact = StringEscapeUtils.escapeXml11(weblog.getEmailAddress()); + shortName = escapeXml11(weblog.getName()); + description = escapeXml11(weblog.getTagline()); + contact = escapeXml11(weblog.getEmailAddress()); } response.setContentType("application/opensearchdescription+xml"); - PrintWriter pw = new PrintWriter(response.getWriter()); + PrintWriter pw = response.getWriter(); pw.println("<?xml version=\"1.0\" encoding=\"UTF-8\"?>"); pw.println("<OpenSearchDescription xmlns=\"http://a9.com/-/spec/opensearch/1.1/\";>"); pw.println(" <ShortName>" + shortName + "</ShortName>"); @@ -112,8 +115,7 @@ public class OpenSearchServlet extends HttpServlet { pw.println(" <Url type=\"text/html\" "); pw.println(" template=\"" + searchPage + "\"/>"); pw.println("</OpenSearchDescription>"); - pw.flush(); - pw.close(); + pw.flush(); } }
