svn commit: r1679204 - in /sling/trunk/bundles/extensions/xss/src: main/java/org/apache/sling/xss/impl/XSSAPIImpl.java test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java

Wed, 13 May 2015 06:18:46 -0700 

Author: radu
Date: Wed May 13 13:18:25 2015
New Revision: 1679204

URL: http://svn.apache.org/r1679204
Log:
SLING-4525 - XSS protection path mangling issue

* Added proper encoding for colons in query string
* Added testcases based on Georg Koester's patch
(patch provided by Vlad Bailescu; closes #80)

Modified:
    
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
    
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java

Modified: 
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
URL: 
http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java?rev=1679204&r1=1679203&r2=1679204&view=diff
==============================================================================
--- 
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
 (original)
+++ 
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
 Wed May 13 13:18:25 2015
@@ -167,6 +167,10 @@ public class XSSAPIImpl implements XSSAP
                     .replaceAll("<", "%3C")
                     .replaceAll("`", "%60")
                     .replaceAll(" ", "%20");
+            int qMarkIx = encodedUrl.indexOf('?');
+            if (qMarkIx > 0) {
+                encodedUrl = encodedUrl.substring(0, qMarkIx) + 
encodedUrl.substring(qMarkIx).replaceAll(":", "%3A");
+            }
             String testHtml = LINK_PREFIX + mangleNamespaces(encodedUrl) + 
LINK_SUFFIX;
             // replace all & with &amp; because filterHTML will also apply 
this encoding
             testHtml = testHtml.replaceAll("&(?!amp)", "&amp;");

Modified: 
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
URL: 
http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java?rev=1679204&r1=1679203&r2=1679204&view=diff
==============================================================================
--- 
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
 (original)
+++ 
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
 Wed May 13 13:18:25 2015
@@ -252,6 +252,16 @@ public class XSSAPIImplTest {
                 // `
                 {"/test/ab`cd", "/test/ab%60cd"},
                 {"http://localhost:4502/test/ab`cd";, 
"http://localhost:4502/test/ab%60cd"},
+                // colons in query string
+                {"/test/search.html?0_tag:id=test", 
"/test/search.html?0_tag%3Aid=test"},
+                { // JCR namespaces and colons in query string
+                        "/test/jcr:content/search.html?0_tag:id=test",
+                        "/test/_jcr_content/search.html?0_tag%3Aid=test"
+                },
+                { // ? in query string
+                        "/test/search.html?0_tag:id=test?ing&1_tag:id=abc",
+                        "/test/search.html?0_tag%3Aid=test?ing&1_tag%3Aid=abc",
+                }
         };
 
         for (String[] aTestData : testData) {

Reply via email to