[Yanel-commits] rev 26689 -
public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet
josias at wyona.com
josias at wyona.com
Mon Aug 13 14:18:12 CEST 2007
Author: josias
Date: 2007-08-13 14:18:11 +0200 (Mon, 13 Aug 2007)
New Revision: 26689
Modified:
public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
Log:
applied patch for bug #5412: make sure the authentication xml is well-formed, i.e. escape special characters
Modified: public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
===================================================================
--- public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java 2007-08-13 09:12:53 UTC (rev 26688)
+++ public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java 2007-08-13 12:18:11 UTC (rev 26689)
@@ -1458,7 +1458,7 @@
Configuration originalRequestConfig = config.getChild("original-request");
originalRequest = originalRequestConfig.getAttribute("url", null);
-
+
Configuration[] paramConfig = config.getChildren("param");
for (int i = 0; i < paramConfig.length; i++) {
String paramName = paramConfig[i].getAttribute("name", null);
@@ -1508,11 +1508,11 @@
sb.append("<message>Authentication failed!</message>");
sb.append("<authentication>");
// TODO: ...
- sb.append("<original-request url=\"" + originalRequest + "\"/>");
+ sb.append("<original-request url=\"" + encodeXML(originalRequest) + "\"/>");
//sb.append("<original-request url=\"" + getRequestURLQS(request, null, true) + "\"/>");
//TODO: Also support https ...
// TODO: ...
- sb.append("<login url=\"" + originalRequest + "&yanel.usecase=neutron-auth" + "\" method=\"POST\">");
+ sb.append("<login url=\"" + encodeXML(originalRequest) + "&yanel.usecase=neutron-auth" + "\" method=\"POST\">");
//sb.append("<login url=\"" + getRequestURLQS(request, "yanel.usecase=neutron-auth", true) + "\" method=\"POST\">");
sb.append("<form>");
sb.append("<message>Enter username and password for \"" + realm.getName() + "\" at \"" + realm.getMountPoint() + "\"</message>");
@@ -1522,7 +1522,7 @@
sb.append("</login>");
// NOTE: Needs to be a full URL, because user might switch the server ...
// TODO: ...
- sb.append("<logout url=\"" + originalRequest + "&yanel.usecase=logout" + "\" realm=\"" + realm.getName() + "\"/>");
+ sb.append("<logout url=\"" + encodeXML(originalRequest) + "&yanel.usecase=logout" + "\" realm=\"" + realm.getName() + "\"/>");
sb.append("</authentication>");
sb.append("</exception>");
@@ -1546,11 +1546,11 @@
sb.append("<message>Authentication failed because no username was sent!</message>");
sb.append("<authentication>");
// TODO: ...
- sb.append("<original-request url=\"" + originalRequest + "\"/>");
+ sb.append("<original-request url=\"" + encodeXML(originalRequest) + "\"/>");
//sb.append("<original-request url=\"" + getRequestURLQS(request, null, true) + "\"/>");
//TODO: Also support https ...
// TODO: ...
- sb.append("<login url=\"" + originalRequest + "&yanel.usecase=neutron-auth" + "\" method=\"POST\">");
+ sb.append("<login url=\"" + encodeXML(originalRequest) + "&yanel.usecase=neutron-auth" + "\" method=\"POST\">");
//sb.append("<login url=\"" + getRequestURLQS(request, "yanel.usecase=neutron-auth", true) + "\" method=\"POST\">");
sb.append("<form>");
sb.append("<message>Enter username and password for \"" + realm.getName() + "\" at \"" + realm.getMountPoint() + "\"</message>");
@@ -1560,7 +1560,7 @@
sb.append("</login>");
// NOTE: Needs to be a full URL, because user might switch the server ...
// TODO: ...
- sb.append("<logout url=\"" + originalRequest + "&yanel.usecase=logout" + "\" realm=\"" + realm.getName() + "\"/>");
+ sb.append("<logout url=\"" + encodeXML(originalRequest) + "&yanel.usecase=logout" + "\" realm=\"" + realm.getName() + "\"/>");
sb.append("</authentication>");
sb.append("</exception>");
@@ -1583,6 +1583,19 @@
}
/**
+ * Escapes all reserved xml characters (& < > ' ") in a string.
+ * @param s input string
+ * @return string with escaped characters
+ */
+ private String encodeXML(String s) {
+ s = s.replaceAll("&", "&");
+ s = s.replaceAll("<", "<");
+ s = s.replaceAll(">", ">");
+ s = s.replaceAll("'", "'");
+ s = s.replaceAll("\"", """);
+ return s;
+ }
+ /**
*
*/
public HttpServletResponse doLogout(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
More information about the Yanel-commits
mailing list