This is an automated email from the ASF dual-hosted git repository. mbien pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/roller.git
commit 21c3c320b274c17eb3fe8a15d8b55c38d2eea4b2 Author: Michael Bien <[email protected]> AuthorDate: Mon Mar 22 04:52:02 2021 +0100 weblog handle validation. --- .../business/jpa/JPAWeblogManagerImpl.java | 22 +++++++++++++++++++--- .../comments/CommentAuthenticatorUtils.java | 8 +++++--- .../ui/rendering/servlets/CommentServlet.java | 6 ++---- .../ui/rendering/servlets/SearchServlet.java | 19 +++++++++---------- 4 files changed, 35 insertions(+), 20 deletions(-) diff --git a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAWeblogManagerImpl.java b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAWeblogManagerImpl.java index dc03c76..14530f5 100644 --- a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAWeblogManagerImpl.java +++ b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAWeblogManagerImpl.java @@ -362,11 +362,12 @@ public class JPAWeblogManagerImpl implements WeblogManager { * Return weblog specified by handle. */ @Override - public Weblog getWeblogByHandle(String handle, Boolean visible) - throws WebloggerException { + public Weblog getWeblogByHandle(String handle, Boolean visible) throws WebloggerException { - if (handle==null) { + if (handle == null) { throw new WebloggerException("Handle cannot be null"); + } else if (!isAlphanumeric(handle)) { + throw new WebloggerException("Invalid handle: '"+handle+"'"); } // check cache first @@ -704,4 +705,19 @@ public class JPAWeblogManagerImpl implements WeblogManager { return results.get(0); } + /** + * Returns true if alphanumeric or '_'. + */ + private boolean isAlphanumeric(String str) { + if (str == null) { + return false; + } + for (int i = 0; i < str.length(); i++) { + if (!Character.isLetterOrDigit(str.charAt(i)) && str.charAt(i) != '_') { + return false; + } + } + return true; + } + } diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/CommentAuthenticatorUtils.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/CommentAuthenticatorUtils.java index bb1ebe0..12a78f6 100644 --- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/CommentAuthenticatorUtils.java +++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/CommentAuthenticatorUtils.java @@ -28,16 +28,18 @@ import javax.servlet.http.HttpServletRequest; import java.util.Locale; class CommentAuthenticatorUtils { - private static Log log = LogFactory.getLog(CommentAuthenticatorUtils.class); + private static final Log log = LogFactory.getLog(CommentAuthenticatorUtils.class); public static Locale getLocale(HttpServletRequest request) { String handle = request.getParameter("weblog"); try { Weblog weblog = WebloggerFactory.getWeblogger().getWeblogManager().getWeblogByHandle(handle); - return weblog.getLocaleInstance(); + if(weblog != null) { + return weblog.getLocaleInstance(); + } } catch (WebloggerException e) { log.debug("Failed to determine weblog's locale. fallback to the locale of the request", e); - return request.getLocale(); } + return request.getLocale(); } } diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentServlet.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentServlet.java index d8bb6bd..da50356 100644 --- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentServlet.java +++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentServlet.java @@ -73,7 +73,7 @@ import org.apache.roller.weblogger.util.cache.CacheManager; */ public class CommentServlet extends HttpServlet { - private static Log log = LogFactory.getLog(CommentServlet.class); + private static final Log log = LogFactory.getLog(CommentServlet.class); private CommentAuthenticator authenticator = null; private CommentValidationManager commentValidationManager = null; @@ -202,9 +202,7 @@ public class CommentServlet extends HttpServlet { try { commentRequest = new WeblogCommentRequest(request); - // lookup weblog specified by comment request - weblog = WebloggerFactory.getWeblogger().getWeblogManager() - .getWeblogByHandle(commentRequest.getWeblogHandle()); + weblog = commentRequest.getWeblog(); if (weblog == null) { throw new WebloggerException("unable to lookup weblog: " diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/SearchServlet.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/SearchServlet.java index 79c441f..729d3bb 100644 --- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/SearchServlet.java +++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/SearchServlet.java @@ -59,7 +59,7 @@ public class SearchServlet extends HttpServlet { private static final long serialVersionUID = 6246730804167411636L; - private static Log log = LogFactory.getLog(SearchServlet.class); + private static final Log log = LogFactory.getLog(SearchServlet.class); // Development theme reloading Boolean themeReload = false; @@ -87,20 +87,19 @@ public class SearchServlet extends HttpServlet { log.debug("Entering"); - Weblog weblog = null; - WeblogSearchRequest searchRequest = null; + Weblog weblog; + WeblogSearchRequest searchRequest; // first off lets parse the incoming request and validate it try { searchRequest = new WeblogSearchRequest(request); // now make sure the specified weblog really exists - weblog = WebloggerFactory - .getWeblogger() - .getWeblogManager() - .getWeblogByHandle(searchRequest.getWeblogHandle(), - Boolean.TRUE); - + weblog = searchRequest.getWeblog(); + if (weblog == null) { + response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Weblog not found"); + return; + } } catch (Exception e) { // invalid search request format or weblog doesn't exist log.debug("error creating weblog search request", e); @@ -229,7 +228,7 @@ public class SearchServlet extends HttpServlet { } // lookup Renderer we are going to use - Renderer renderer = null; + Renderer renderer; try { log.debug("Looking up renderer"); renderer = RendererManager.getRenderer(page, deviceType);
