sr...

manolo Thu, 16 Aug 2012 02:16:16 -0700

Author: manolo
Date: Thu Aug 16 09:15:19 2012
New Revision: 1373762

URL: http://svn.apache.org/viewvc?rev=1373762&view=rev
Log:
Fix XSS vulnerability in message list and view


Modified:
    
james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java
    
james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java
    
james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java
    
james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java
    
james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java

Modified: 
james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java
URL: 
http://svn.apache.org/viewvc/james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java?rev=1373762&r1=1373761&r2=1373762&view=diff
==============================================================================
--- 
james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java 
(original)
+++ 
james/hupa/trunk/client/src/main/java/org/apache/hupa/client/HupaCallback.java 
Thu Aug 16 09:15:19 2012
@@ -117,5 +117,6 @@ public abstract class HupaCallback<T> im
      */
     public void callbackError(Throwable caught) {
         System.out.println("HupaCallBack Error: " + caught);
+        caught.printStackTrace();
     }
 }

Modified: 
james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java
URL: 
http://svn.apache.org/viewvc/james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java?rev=1373762&r1=1373761&r2=1373762&view=diff
==============================================================================
--- 
james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java
 (original)
+++ 
james/hupa/trunk/client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java
 Thu Aug 16 09:15:19 2012
@@ -363,7 +363,7 @@ public class IMAPMessageListView extends
                     dtformat = DateTimeFormat.getFormat("dd.MMM.yyyy HH:mm");
                 }
             
-                view.setHTML(dtformat.format(rDate));
+                view.setText(dtformat.format(rDate));
                 view.setHorizontalAlignment(HorizontalPanel.ALIGN_RIGHT);
             }
             
@@ -528,7 +528,7 @@ public class IMAPMessageListView extends
             if (cellValue == null || cellValue.length() < 1) {
                 view.setHTML("&nbsp");
             } else {
-                view.setHTML(cellValue);
+                view.setText(cellValue);
             }
         }
 
@@ -791,6 +791,7 @@ public class IMAPMessageListView extends
     }
 
     public void setExpandLoading(boolean expanding) {
+        System.out.println("SSS " + expanding);
         if (expanding) {
             loading.show();
         } else {

Modified: 
james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java
URL: 
http://svn.apache.org/viewvc/james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java?rev=1373762&r1=1373761&r2=1373762&view=diff
==============================================================================
--- 
james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java
 (original)
+++ 
james/hupa/trunk/server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java
 Thu Aug 16 09:15:19 2012
@@ -137,8 +137,6 @@ public class GetMessageDetailsHandler ex
         
         boolean isHTML = handleParts(message, con, sbPlain, attachmentList);
         
-        System.out.println(isHTML);
-        
         if (isHTML) {
             mDetails.setText(filterHtmlDocument(sbPlain.toString(), 
folderName, uid));
         } else {

Modified: 
james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java
URL: 
http://svn.apache.org/viewvc/james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java?rev=1373762&r1=1373761&r2=1373762&view=diff
==============================================================================
--- 
james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java
 (original)
+++ 
james/hupa/trunk/server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java
 Thu Aug 16 09:15:19 2012
@@ -60,9 +60,9 @@ public class RegexPatterns {
     
     public static final Pattern regex_unneededTags = 
Pattern.compile("(?si)(</?(html|body)[^>]*?>)");
     public static final String repl_unneededTags = "";
-    
-    public static final String EVENT_ATTR_REGEX = 
"(?:on[dbl]*click)|(?:onmouse[a-z]+)|(?:onkey[a-z]+)";
-    public static final Pattern regex_badAttrs = 
Pattern.compile("(?si)(<\\w+[^<>]*)\\s+("+ EVENT_ATTR_REGEX + 
")=[\"']?([^\\s<>]+?)[\"']?([\\s>])");
+
+    public static final String EVENT_ATTR_REGEX = "(?:on[a-z]+)";
+    public static final Pattern regex_badAttrs = 
Pattern.compile("(?si)(<\\w+[^<>]*)(?:[\"']|\\s+)("+ EVENT_ATTR_REGEX + 
")=[\"']?([^\\s<>]+?)[\"']?([\\s>])");
     public static final String repl_badAttrs = "$1$4";
     
     public static final Pattern regex_orphandHttpLinks = 
Pattern.compile("(?si)(?!.*<a\\s?[^>]*?>.+</a\\s*>.*)(<[^<]*?>[^<>]*)" + 
HTML_LINK_REGEXP + "([^<>]*<[^>]*?>)");

Modified: 
james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java
URL: 
http://svn.apache.org/viewvc/james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java?rev=1373762&r1=1373761&r2=1373762&view=diff
==============================================================================
--- 
james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java
 (original)
+++ 
james/hupa/trunk/server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java
 Thu Aug 16 09:15:19 2012
@@ -85,6 +85,15 @@ public class RegexPatternsTest extends T
         txt = "... <div attr=a onClick=\"something('');\" attr=b 
onMouseOver=whatever attr=c onKeyup=\"\" /> ...";
         res = RegexPatterns.replaceAllRecursive(txt, 
RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs);
         assertEquals("... <div attr=a attr=b attr=c /> ...", res);
+        
+        
+        txt = "... <img src='1.jpg' 
onerror=javascript:alert(\"img-onerror-javascript:XSS\")> ...";
+        res = RegexPatterns.replaceAllRecursive(txt, 
RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs);
+        assertEquals("... <img src='1.jpg'> ...", res);
+
+        txt = "... <img src=\"1.jpg\" 
onerror=javascript:alert(\"img-onerror-javascript:XSS\")> ...";
+        res = RegexPatterns.replaceAllRecursive(txt, 
RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs);
+        assertEquals("... <img src=\"1.jpg\"> ...", res);
     }
     
     public void testRegexHtmlLinks() {



---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

svn commit: r1373762 - in /james/hupa/trunk: client/src/main/java/org/apache/hupa/client/ client/src/main/java/org/apache/hupa/client/mvp/ server/src/main/java/org/apache/hupa/server/handler/ server/src/main/java/org/apache/hupa/server/utils/ server/sr...

Reply via email to