svn commit: r917578 - /portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/portal/src/java/org/apache/jetspeed/login/LoginProxyServlet.java

Mon, 01 Mar 2010 08:38:08 -0800 

Author: ate
Date: Mon Mar  1 16:37:44 2010
New Revision: 917578

URL: http://svn.apache.org/viewvc?rev=917578&view=rev
Log:
Fix for JS2-1075 - possible cross site scripting during login and JS2-1076 - 
insecure redirector during login
See:
  http://issues.apache.org/jira/browse/JS2-1075
  http://issues.apache.org/jira/browse/JS2-1076
  
Thanks for the report Radko Keves

Modified:
    
portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/portal/src/java/org/apache/jetspeed/login/LoginProxyServlet.java

Modified: 
portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/portal/src/java/org/apache/jetspeed/login/LoginProxyServlet.java
URL: 
http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/portal/src/java/org/apache/jetspeed/login/LoginProxyServlet.java?rev=917578&r1=917577&r2=917578&view=diff
==============================================================================
--- 
portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/portal/src/java/org/apache/jetspeed/login/LoginProxyServlet.java
 (original)
+++ 
portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/portal/src/java/org/apache/jetspeed/login/LoginProxyServlet.java
 Mon Mar  1 16:37:44 2010
@@ -27,6 +27,7 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.jetspeed.Jetspeed;
 import org.apache.jetspeed.PortalReservedParameters;
 import org.apache.jetspeed.administration.PortalAuthenticationConfiguration;
@@ -64,19 +65,28 @@
 
         parameter = request.getParameter(LoginConstants.DESTINATION);
         if (parameter != null)
+        {
+            parameter = StringEscapeUtils.escapeHtml(parameter);
             session.setAttribute(LoginConstants.DESTINATION, parameter);
+        }
         else
             session.removeAttribute(LoginConstants.DESTINATION);
         if (credentialsFromRequest)
         {
             username = request.getParameter(LoginConstants.USERNAME);
             if (username != null)
+            {
+                username = StringEscapeUtils.escapeHtml(username);
                 session.setAttribute(LoginConstants.USERNAME, username);
+            }
             else
                 session.removeAttribute(LoginConstants.USERNAME);
             parameter = request.getParameter(LoginConstants.PASSWORD);
             if (parameter != null)
+            {
+                parameter = StringEscapeUtils.escapeHtml(parameter);
                 session.setAttribute(LoginConstants.PASSWORD, parameter);
+            }
             else
                 session.removeAttribute(LoginConstants.PASSWORD);
         }



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to