Author: angela
Date: Wed Mar 26 09:47:11 2014
New Revision: 1581770
URL: http://svn.apache.org/r1581770
Log:
OAK-1615 : Incomplete escaping in XPathConditionVisitor
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/QueryUtil.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/QueryUtil.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/QueryUtil.java?rev=1581770&r1=1581769&r2=1581770&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/QueryUtil.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/QueryUtil.java
Wed Mar 26 09:47:11 2014
@@ -22,6 +22,7 @@ import javax.jcr.RepositoryException;
import javax.jcr.Value;
import org.apache.jackrabbit.api.security.user.QueryBuilder;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
@@ -82,7 +83,7 @@ public final class QueryUtil {
* @return escaped string
*/
@Nonnull
- public static String escapeNodeName(String string) {
+ public static String escapeNodeName(@Nonnull String string) {
StringBuilder result = new StringBuilder();
int k = 0;
@@ -107,11 +108,12 @@ public final class QueryUtil {
}
@Nonnull
- public static String format(Value value) throws RepositoryException {
+ public static String format(@Nonnull Value value) throws
RepositoryException {
+ String s;
switch (value.getType()) {
case PropertyType.STRING:
case PropertyType.BOOLEAN:
- return '\'' + value.getString() + '\'';
+ return '\'' + QueryUtil.escapeForQuery(value.getString()) +
'\'';
case PropertyType.LONG:
case PropertyType.DOUBLE:
@@ -126,7 +128,12 @@ public final class QueryUtil {
}
@Nonnull
- public static String escapeForQuery(String value) {
+ public static String escapeForQuery(@Nonnull String oakName, @Nonnull
NamePathMapper namePathMapper) {
+ return escapeForQuery(namePathMapper.getJcrName(oakName));
+ }
+
+ @Nonnull
+ public static String escapeForQuery(@Nonnull String value) {
StringBuilder ret = new StringBuilder();
for (int i = 0; i < value.length(); i++) {
char c = value.charAt(i);
@@ -142,7 +149,7 @@ public final class QueryUtil {
}
@Nonnull
- public static RelationOp getCollation(QueryBuilder.Direction direction)
throws RepositoryException {
+ public static RelationOp getCollation(@Nonnull QueryBuilder.Direction
direction) throws RepositoryException {
switch (direction) {
case ASCENDING:
return RelationOp.GT;
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java?rev=1581770&r1=1581769&r2=1581770&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathConditionVisitor.java
Wed Mar 26 09:47:11 2014
@@ -47,9 +47,9 @@ class XPathConditionVisitor implements C
public void visit(Condition.Node condition) throws RepositoryException {
statement.append('(')
.append("jcr:like(@")
-
.append(namePathMapper.getJcrName(UserConstants.REP_PRINCIPAL_NAME))
+
.append(QueryUtil.escapeForQuery(UserConstants.REP_PRINCIPAL_NAME,
namePathMapper))
.append(",'")
- .append(condition.getPattern())
+ .append(QueryUtil.escapeForQuery(condition.getPattern()))
.append("')")
.append(" or ")
.append("jcr:like(fn:name(),'")
@@ -62,15 +62,15 @@ class XPathConditionVisitor implements C
public void visit(Condition.Property condition) throws RepositoryException
{
RelationOp relOp = condition.getOp();
if (relOp == RelationOp.EX) {
- statement.append(condition.getRelPath());
+ statement.append(QueryUtil.escapeForQuery(condition.getRelPath()));
} else if (relOp == RelationOp.LIKE) {
statement.append("jcr:like(")
- .append(condition.getRelPath())
+ .append(QueryUtil.escapeForQuery(condition.getRelPath()))
.append(",'")
- .append(condition.getPattern())
+ .append(QueryUtil.escapeForQuery(condition.getPattern()))
.append("')");
} else {
- statement.append(condition.getRelPath())
+ statement.append(QueryUtil.escapeForQuery(condition.getRelPath()))
.append(condition.getOp().getOp())
.append(QueryUtil.format(condition.getValue()));
}
@@ -79,9 +79,9 @@ class XPathConditionVisitor implements C
@Override
public void visit(Condition.Contains condition) {
statement.append("jcr:contains(")
- .append(condition.getRelPath())
+ .append(QueryUtil.escapeForQuery(condition.getRelPath()))
.append(",'")
- .append(condition.getSearchExpr())
+ .append(QueryUtil.escapeForQuery(condition.getSearchExpr()))
.append("')");
}
@@ -97,15 +97,15 @@ class XPathConditionVisitor implements C
}
if (isAdmin) {
statement.append('@')
-
.append(namePathMapper.getJcrName(JcrConstants.JCR_PRIMARYTYPE))
+
.append(QueryUtil.escapeForQuery(JcrConstants.JCR_PRIMARYTYPE, namePathMapper))
.append("='")
-
.append(namePathMapper.getJcrName(UserConstants.NT_REP_USER))
+
.append(QueryUtil.escapeForQuery(UserConstants.NT_REP_USER, namePathMapper))
.append('\'');
} else {
statement.append('@')
-
.append(namePathMapper.getJcrName(UserConstants.REP_IMPERSONATORS))
+
.append(QueryUtil.escapeForQuery(UserConstants.REP_IMPERSONATORS,
namePathMapper))
.append("='")
- .append(condition.getName())
+ .append(QueryUtil.escapeForQuery(condition.getName()))
.append('\'');
}
}
Modified:
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java?rev=1581770&r1=1581769&r2=1581770&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java
(original)
+++
jackrabbit/oak/trunk/oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/user/UserQueryTest.java
Wed Mar 26 09:47:11 2014
@@ -36,6 +36,7 @@ import org.apache.jackrabbit.api.securit
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
import org.junit.Test;
/**
@@ -611,12 +612,11 @@ public class UserQueryTest extends Abstr
final String adminPrincipalName =
userMgr.getAuthorizable(superuser.getUserID()).getPrincipal().getName();
Iterator<Authorizable> result = userMgr.findAuthorizables(new Query() {
public <T> void build(QueryBuilder<T> builder) {
- builder.setCondition(builder.
- impersonates(adminPrincipalName));
+ builder.setCondition(builder.impersonates(adminPrincipalName));
}
});
- Iterator<Authorizable> expected =
userMgr.findAuthorizables("rep:principalName", null,
UserManager.SEARCH_TYPE_USER);
+ Iterator<Authorizable> expected =
userMgr.findAuthorizables(UserConstants.REP_PRINCIPAL_NAME, null,
UserManager.SEARCH_TYPE_USER);
assertTrue(result.hasNext());
assertSameElements(expected, result);
}
