Author: manolo Date: Thu Aug 16 09:15:19 2012 New Revision: 1373762 URL: http://svn.apache.org/viewvc?rev=1373762&view=rev Log: Fix XSS vulnerability in message list and view
Modified: james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java Modified: james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java URL: http://svn.apache.org/viewvc/james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java?rev=1373762&r1=1373761&r2=1373762&view=diff ============================================================================== --- james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java (original) +++ james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java Thu Aug 16 09:15:19 2012 @@ -117,5 +117,6 @@ public abstract class HupaCallback<T> im */ public void callbackError(Throwable caught) { System.out.println("HupaCallBack Error: " + caught); + caught.printStackTrace(); } } Modified: james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java URL: http://svn.apache.org/viewvc/james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java?rev=1373762&r1=1373761&r2=1373762&view=diff ============================================================================== --- james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java (original) +++ james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java Thu Aug 16 09:15:19 2012 @@ -363,7 +363,7 @@ public class IMAPMessageListView extends dtformat = DateTimeFormat.getFormat("dd.MMM.yyyy HH:mm"); } - view.setHTML(dtformat.format(rDate)); + view.setText(dtformat.format(rDate)); view.setHorizontalAlignment(HorizontalPanel.ALIGN_RIGHT); } @@ -528,7 +528,7 @@ public class IMAPMessageListView extends if (cellValue == null || cellValue.length() < 1) { view.setHTML(" "); } else { - view.setHTML(cellValue); + view.setText(cellValue); } } @@ -791,6 +791,7 @@ public class IMAPMessageListView extends } public void setExpandLoading(boolean expanding) { + System.out.println("SSS " + expanding); if (expanding) { loading.show(); } else { Modified: james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java URL: http://svn.apache.org/viewvc/james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java?rev=1373762&r1=1373761&r2=1373762&view=diff ============================================================================== --- james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java (original) +++ james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java Thu Aug 16 09:15:19 2012 @@ -137,8 +137,6 @@ public class GetMessageDetailsHandler ex boolean isHTML = handleParts(message, con, sbPlain, attachmentList); - System.out.println(isHTML); - if (isHTML) { mDetails.setText(filterHtmlDocument(sbPlain.toString(), folderName, uid)); } else { Modified: james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java URL: http://svn.apache.org/viewvc/james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java?rev=1373762&r1=1373761&r2=1373762&view=diff ============================================================================== --- james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java (original) +++ james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java Thu Aug 16 09:15:19 2012 @@ -60,9 +60,9 @@ public class RegexPatterns { public static final Pattern regex_unneededTags = Pattern.compile("(?si)(</?(html|body)[^>]*?>)"); public static final String repl_unneededTags = ""; - - public static final String EVENT_ATTR_REGEX = "(?:on[dbl]*click)|(?:onmouse[a-z]+)|(?:onkey[a-z]+)"; - public static final Pattern regex_badAttrs = Pattern.compile("(?si)(<\\w+[^<>]*)\\s+("+ EVENT_ATTR_REGEX + ")=[\"']?([^\\s<>]+?)[\"']?([\\s>])"); + + public static final String EVENT_ATTR_REGEX = "(?:on[a-z]+)"; + public static final Pattern regex_badAttrs = Pattern.compile("(?si)(<\\w+[^<>]*)(?:[\"']|\\s+)("+ EVENT_ATTR_REGEX + ")=[\"']?([^\\s<>]+?)[\"']?([\\s>])"); public static final String repl_badAttrs = "$1$4"; public static final Pattern regex_orphandHttpLinks = Pattern.compile("(?si)(?!.*<a\\s?[^>]*?>.+</a\\s*>.*)(<[^<]*?>[^<>]*)" + HTML_LINK_REGEXP + "([^<>]*<[^>]*?>)"); Modified: james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java URL: http://svn.apache.org/viewvc/james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java?rev=1373762&r1=1373761&r2=1373762&view=diff ============================================================================== --- james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java (original) +++ james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java Thu Aug 16 09:15:19 2012 @@ -85,6 +85,15 @@ public class RegexPatternsTest extends T txt = "... <div attr=a onClick=\"something('');\" attr=b onMouseOver=whatever attr=c onKeyup=\"\" /> ..."; res = RegexPatterns.replaceAllRecursive(txt, RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs); assertEquals("... <div attr=a attr=b attr=c /> ...", res); + + + txt = "... <img src='1.jpg' onerror=javascript:alert(\"img-onerror-javascript:XSS\")> ..."; + res = RegexPatterns.replaceAllRecursive(txt, RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs); + assertEquals("... <img src='1.jpg'> ...", res); + + txt = "... <img src=\"1.jpg\" onerror=javascript:alert(\"img-onerror-javascript:XSS\")> ..."; + res = RegexPatterns.replaceAllRecursive(txt, RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs); + assertEquals("... <img src=\"1.jpg\"> ...", res); } public void testRegexHtmlLinks() { --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org