/ - Diff - Metacat - Ecoinformatics Redmine

« Previous | Next »

Revision 8792

Added by ben leinfelder almost 10 years ago

prevent js scriptlets from running when we return error messages to the client by escaping any potentially harmful xml blocks. https://projects.ecoinformatics.org/ecoinfo/issues/6224

     import javax.servlet.http.HttpServletResponse;
     import javax.servlet.http.HttpSession;
     import org.apache.commons.lang.StringEscapeUtils;
     import org.apache.log4j.Logger;
     import org.apache.log4j.PropertyConfigurator;
-...
     					response.setContentType("text/xml");
     					out.println("<?xml version=\"1.0\"?>");
     					out.println("<error>");
     					out.println("Permission denied for user " + userName + " " + action);
     					String cleanMessage = StringEscapeUtils.escapeXml("Permission denied for user " + userName + " " + action);
     					out.println(cleanMessage);
     					out.println("</error>");
+    				}
     				out.close();
-...
     					response.setContentType("text/xml");
     					out.println("<?xml version=\"1.0\"?>");
     					out.println("<error>");
     					out.println("Permission denied for " + action);
     					String cleanMessage = StringEscapeUtils.escapeXml("Permission denied for " + action);
     					out.println(cleanMessage);
     					out.println("</error>");
+    				}
     				out.close();
-...
     					PrintWriter out = response.getWriter();
     					out.println("<?xml version=\"1.0\"?>");
     					out.println("<error>");
     					out.println("Error: action: " + action + " not registered.  Please report this error.");
     					String cleanMessage = StringEscapeUtils.escapeXml("Error: action: " + action + " not registered.  Please report this error.");
     					out.println(cleanMessage);
     					out.println("</error>");
     					out.close();
+    				}

     import org.apache.commons.fileupload.servlet.ServletFileUpload;
     import org.apache.commons.io.IOUtils;
     import org.apache.commons.io.input.XmlStreamReader;
     import org.apache.commons.lang.StringEscapeUtils;
     import org.apache.log4j.Logger;
     import org.dataone.service.types.v1.AccessPolicy;
     import org.dataone.service.types.v1.Event;
-...
                 } catch (NullPointerException npe) {
                     out.println("<error>Error getting document ID: " + docid
                     out.println("<error>Error getting document ID: " + StringEscapeUtils.escapeXml(docid)
                             + "</error>");
                     //if ( conn != null ) { util.returnConnection(conn); }
                     return;
-...
             out.println("<?xml version=\"1.0\"?>");
             out.println("<isRegistered>");
             out.println("<docid>" + id + "</docid>");
             out.println("<docid>" + StringEscapeUtils.escapeXml(id) + "</docid>");
             out.println("<exists>" + exists + "</exists>");
             out.println("</isRegistered>");
+        }
-...
                 Vector<String> docids = DBUtil.getAllDocids(scope);
                 out.println("<?xml version=\"1.0\"?>");
                 out.println("<idList>");
                 out.println("  <scope>" + scope + "</scope>");
                 out.println("  <scope>" + StringEscapeUtils.escapeXml(scope) + "</scope>");
                 for(int i=0; i<docids.size(); i++) {
                     String docid = docids.elementAt(i);
                     out.println("  <docid>" + docid + "</docid>");
-...
                 String lastDocid = dbutil.getMaxDocid(scope);
                 out.println("<?xml version=\"1.0\"?>");
                 out.println("<lastDocid>");
                 out.println("  <scope>" + scope + "</scope>");
                 out.println("  <scope>" + StringEscapeUtils.escapeXml(scope) + "</scope>");
                 out.println("  <docid>" + lastDocid + "</docid>");
                 out.println("</lastDocid>");
-...
             try {
                 DocumentImpl doc = new DocumentImpl(docid, false);
                 doc.buildIndex();
                 out.print("<docid>" + docid);
                 out.print("<docid>" + StringEscapeUtils.escapeXml(docid));
                 out.println("</docid>");
             } catch (McdbException me) {
                 out.print("<error>");
-...
                 } else {
                     out.println("<?xml version=\"1.0\"?>");
                     out.println("<error>");
                     out.println("Permission denied for " + action);
                     out.println("Permission denied for upload action");
                     out.println("</error>");
+                }
             } else if(action.equals("insertmultipart")) {
-...
               } else {
                   out.println("<?xml version=\"1.0\"?>");
                   out.println("<error>");
                   out.println("Permission denied for " + action);
                   out.println("Permission denied for insertmultipart action");
                   out.println("</error>");
+              }
             } else {
-...
                               "The docid "+docid +" is not valid since it is null or contians the white space(s).");
               if (qformat == null || qformat.equals("xml")) {
                   response.setContentType("text/xml");
                   out.println(output);
                   String cleanMessage = StringEscapeUtils.escapeXml(output);
                   out.println(cleanMessage);
               } else {
                   try {
                       DBTransform trans = new DBTransform();

Also available in: Unified diff

Project

General

Profile

Metacat

Revision 8792

Added by ben leinfelder almost 10 years ago