mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
Sanitising of all java.net.URLEncoder class usage to use a proper UTF-8 URL encoder.
Since URLEncoder is actually an HTML form encoder - not really for URI encoding - and it requires an extra step (converting '+' to %20) Replaced with w3 Consortium algorithm for fast UTF-8 URL encoding in a single step (rather than using the cludgy and slow URI core java classes) Addition of Template API for generate URLs to node content download webscript API: node.serviceUrl git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@7316 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Kevin Roast
@@ -25,10 +25,8 @@
|
||||
package org.alfresco.web.app.servlet;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.net.SocketException;
|
||||
import java.net.URLDecoder;
|
||||
import java.net.URLEncoder;
|
||||
import java.text.MessageFormat;
|
||||
import java.util.Date;
|
||||
import java.util.StringTokenizer;
|
||||
@@ -51,8 +49,8 @@ import org.alfresco.service.cmr.repository.StoreRef;
|
||||
import org.alfresco.service.cmr.security.AccessStatus;
|
||||
import org.alfresco.service.cmr.security.PermissionService;
|
||||
import org.alfresco.service.namespace.QName;
|
||||
import org.alfresco.util.URLEncoder;
|
||||
import org.alfresco.web.app.Application;
|
||||
import org.alfresco.web.ui.common.Utils;
|
||||
import org.apache.commons.logging.Log;
|
||||
|
||||
/**
|
||||
@@ -293,21 +291,10 @@ public abstract class BaseDownloadContentServlet extends BaseServlet
|
||||
*/
|
||||
protected final static String generateUrl(String pattern, NodeRef ref, String name)
|
||||
{
|
||||
String url = null;
|
||||
|
||||
try
|
||||
{
|
||||
url = MessageFormat.format(pattern, new Object[] {
|
||||
ref.getStoreRef().getProtocol(),
|
||||
ref.getStoreRef().getIdentifier(),
|
||||
ref.getId(),
|
||||
Utils.replace(URLEncoder.encode(name, "UTF-8"), "+", "%20") } );
|
||||
}
|
||||
catch (UnsupportedEncodingException uee)
|
||||
{
|
||||
throw new AlfrescoRuntimeException("Failed to encode content URL for node: " + ref, uee);
|
||||
}
|
||||
|
||||
return url;
|
||||
return MessageFormat.format(pattern, new Object[] {
|
||||
ref.getStoreRef().getProtocol(),
|
||||
ref.getStoreRef().getIdentifier(),
|
||||
ref.getId(),
|
||||
URLEncoder.encode(name) } );
|
||||
}
|
||||
}
|
||||
|
||||
@@ -35,7 +35,6 @@ import java.io.OutputStreamWriter;
|
||||
import java.io.Reader;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.io.Writer;
|
||||
import java.net.URLEncoder;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
@@ -57,6 +56,7 @@ import org.alfresco.service.cmr.avm.AVMNotFoundException;
|
||||
import org.alfresco.service.cmr.avm.AVMService;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.security.AuthenticationService;
|
||||
import org.alfresco.util.URLEncoder;
|
||||
import org.alfresco.web.scripts.WebScriptCache;
|
||||
import org.alfresco.web.scripts.WebScriptMatch;
|
||||
import org.alfresco.web.scripts.WebScriptRequest;
|
||||
@@ -636,15 +636,8 @@ public class PageRendererServlet extends WebScriptServlet
|
||||
{
|
||||
// encode to allow presentation tier webscripts to call themselves non this page
|
||||
// needs the servlet URL plus args to identify the webscript and it's new url
|
||||
try
|
||||
{
|
||||
return context.RequestPath + context.RequestURI + "?" + PARAM_COMPONENT_URL + "=" +
|
||||
URLEncoder.encode(url, "UTF-8") + "&" + PARAM_COMPONENT_ID + "=" + componentId;
|
||||
}
|
||||
catch (UnsupportedEncodingException err)
|
||||
{
|
||||
throw new AlfrescoRuntimeException("Unable to encode UTF-8 format URL: " + url);
|
||||
}
|
||||
return context.RequestPath + context.RequestURI + "?" + PARAM_COMPONENT_URL + "=" +
|
||||
URLEncoder.encode(url) + "&" + PARAM_COMPONENT_ID + "=" + componentId;
|
||||
}
|
||||
|
||||
public String getEncodeScriptUrlFunction(String name)
|
||||
|
||||
@@ -23,20 +23,23 @@
|
||||
*/
|
||||
package org.alfresco.web.forms;
|
||||
|
||||
import freemarker.ext.dom.NodeModel;
|
||||
import freemarker.template.SimpleDate;
|
||||
import freemarker.template.SimpleHash;
|
||||
import freemarker.template.SimpleScalar;
|
||||
import freemarker.template.TemplateHashModel;
|
||||
import freemarker.template.TemplateModel;
|
||||
import freemarker.template.TemplateModelException;
|
||||
import java.io.*;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.OutputStream;
|
||||
import java.io.Serializable;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.net.URLEncoder;
|
||||
import java.text.MessageFormat;
|
||||
import java.util.*;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.Date;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.ResourceBundle;
|
||||
|
||||
import javax.faces.context.FacesContext;
|
||||
|
||||
import org.alfresco.error.AlfrescoRuntimeException;
|
||||
import org.alfresco.model.ContentModel;
|
||||
import org.alfresco.model.WCMAppModel;
|
||||
@@ -46,16 +49,17 @@ import org.alfresco.repo.template.TemplateNode;
|
||||
import org.alfresco.service.ServiceRegistry;
|
||||
import org.alfresco.service.cmr.avm.AVMService;
|
||||
import org.alfresco.service.cmr.dictionary.DataTypeDefinition;
|
||||
import org.alfresco.service.cmr.repository.AssociationRef;
|
||||
import org.alfresco.service.cmr.repository.ChildAssociationRef;
|
||||
import org.alfresco.service.cmr.remote.AVMRemote;
|
||||
import org.alfresco.service.cmr.repository.ContentReader;
|
||||
import org.alfresco.service.cmr.repository.ContentService;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.repository.NodeService;
|
||||
import org.alfresco.service.cmr.repository.TemplateException;
|
||||
import org.alfresco.service.cmr.repository.TemplateService;
|
||||
import org.alfresco.service.namespace.*;
|
||||
import org.alfresco.service.cmr.remote.AVMRemote;
|
||||
import org.alfresco.service.namespace.DynamicNamespacePrefixResolver;
|
||||
import org.alfresco.service.namespace.NamespaceService;
|
||||
import org.alfresco.service.namespace.QName;
|
||||
import org.alfresco.util.URLEncoder;
|
||||
import org.alfresco.web.app.Application;
|
||||
import org.alfresco.web.bean.repository.Repository;
|
||||
import org.alfresco.web.bean.wcm.AVMUtil;
|
||||
@@ -64,9 +68,15 @@ import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.springframework.web.context.WebApplicationContext;
|
||||
import org.springframework.web.jsf.FacesContextUtils;
|
||||
import org.w3c.dom.*;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
import org.w3c.dom.Node;
|
||||
import org.xml.sax.SAXException;
|
||||
|
||||
import freemarker.ext.dom.NodeModel;
|
||||
import freemarker.template.SimpleDate;
|
||||
import freemarker.template.SimpleHash;
|
||||
|
||||
|
||||
/**
|
||||
* Implementation of a rendering engine template
|
||||
@@ -393,7 +403,7 @@ public class RenderingEngineTemplateImpl
|
||||
final String[] path = (name.startsWith("/") ? name.substring(1) : name).split("/");
|
||||
for (int i = 0; i < path.length; i++)
|
||||
{
|
||||
path[i] = URLEncoder.encode(path[i], "utf-8").replace("+", "%20");
|
||||
path[i] = URLEncoder.encode(path[i]);
|
||||
}
|
||||
|
||||
final URI uri = new URI(webappUrl + '/' + StringUtils.join(path, '/'));
|
||||
|
||||
@@ -25,9 +25,7 @@
|
||||
package org.alfresco.web.scripts.bean;
|
||||
|
||||
import java.io.StringWriter;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.io.Writer;
|
||||
import java.net.URLEncoder;
|
||||
import java.text.MessageFormat;
|
||||
import java.util.HashMap;
|
||||
import java.util.Locale;
|
||||
@@ -37,19 +35,18 @@ import org.alfresco.i18n.I18NUtil;
|
||||
import org.alfresco.repo.template.TemplateNode;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.service.cmr.repository.StoreRef;
|
||||
import org.alfresco.service.cmr.repository.TemplateException;
|
||||
import org.alfresco.service.cmr.search.ResultSet;
|
||||
import org.alfresco.service.cmr.search.SearchParameters;
|
||||
import org.alfresco.service.cmr.search.SearchService;
|
||||
import org.alfresco.util.GUID;
|
||||
import org.alfresco.util.ParameterCheck;
|
||||
import org.alfresco.util.URLEncoder;
|
||||
import org.alfresco.web.scripts.DeclarativeWebScript;
|
||||
import org.alfresco.web.scripts.WebScriptException;
|
||||
import org.alfresco.web.scripts.WebScriptRequest;
|
||||
import org.alfresco.web.scripts.WebScriptStatus;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
||||
|
||||
/**
|
||||
@@ -389,19 +386,11 @@ public class KeywordSearch extends DeclarativeWebScript
|
||||
@Override
|
||||
public String getUrl()
|
||||
{
|
||||
try
|
||||
{
|
||||
return MessageFormat.format(URL, new Object[] {
|
||||
getNodeRef().getStoreRef().getProtocol(),
|
||||
getNodeRef().getStoreRef().getIdentifier(),
|
||||
getNodeRef().getId(),
|
||||
StringUtils.replace(URLEncoder.encode(getName(), "UTF-8"), "+", "%20") } );
|
||||
}
|
||||
catch (UnsupportedEncodingException err)
|
||||
{
|
||||
throw new TemplateException("Failed to encode content URL for node: " + getNodeRef(), err);
|
||||
}
|
||||
return MessageFormat.format(URL, new Object[] {
|
||||
getNodeRef().getStoreRef().getProtocol(),
|
||||
getNodeRef().getStoreRef().getIdentifier(),
|
||||
getNodeRef().getId(),
|
||||
URLEncoder.encode(getName()) } );
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
@@ -28,12 +28,12 @@ import java.io.IOException;
|
||||
import java.io.OutputStream;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.io.Writer;
|
||||
import java.net.URLEncoder;
|
||||
|
||||
import javax.faces.component.UIForm;
|
||||
import javax.faces.context.FacesContext;
|
||||
|
||||
import org.alfresco.error.AlfrescoRuntimeException;
|
||||
import org.alfresco.util.URLEncoder;
|
||||
import org.alfresco.web.scripts.WebScriptCache;
|
||||
import org.alfresco.web.scripts.WebScriptResponse;
|
||||
import org.alfresco.web.ui.common.Utils;
|
||||
@@ -81,14 +81,7 @@ public class WebScriptJSFResponse implements WebScriptResponse
|
||||
buf.append("'].value=");
|
||||
buf.append("'");
|
||||
// encode the URL to the webscript
|
||||
try
|
||||
{
|
||||
buf.append(URLEncoder.encode(url, "UTF-8"));
|
||||
}
|
||||
catch (UnsupportedEncodingException e)
|
||||
{
|
||||
throw new AlfrescoRuntimeException("Unable to utf-8 encode script url.");
|
||||
}
|
||||
buf.append(URLEncoder.encode(url));
|
||||
buf.append("'");
|
||||
buf.append(";");
|
||||
|
||||
|
||||
@@ -27,7 +27,6 @@ package org.alfresco.web.ui.common;
|
||||
import java.io.BufferedReader;
|
||||
import java.io.IOException;
|
||||
import java.io.StringReader;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.net.URLEncoder;
|
||||
import java.text.DateFormat;
|
||||
import java.text.SimpleDateFormat;
|
||||
@@ -744,8 +743,7 @@ public final class Utils
|
||||
// build up the path skipping the first path as it is the root folder
|
||||
for (int x = 1; x < paths.size(); x++)
|
||||
{
|
||||
path.append("/").append(
|
||||
Utils.replace(URLEncoder.encode(paths.get(x).getName(), "UTF-8"), "+", "%20"));
|
||||
path.append("/").append(URLEncoder.encode(paths.get(x).getName()));
|
||||
}
|
||||
url = path.toString();
|
||||
}
|
||||
@@ -757,11 +755,6 @@ public final class Utils
|
||||
{
|
||||
// cannot build path if file no longer exists
|
||||
}
|
||||
catch (UnsupportedEncodingException encErr)
|
||||
{
|
||||
if (logger.isWarnEnabled())
|
||||
logger.warn("Failed to calculate webdav url for node: " + node.getNodeRef(), encErr);
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
@@ -25,7 +25,6 @@
|
||||
package org.alfresco.web.ui.common.component;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.URLEncoder;
|
||||
|
||||
import javax.faces.component.UIOutput;
|
||||
import javax.faces.component.ValueHolder;
|
||||
@@ -34,6 +33,8 @@ import javax.faces.context.ResponseWriter;
|
||||
import javax.faces.convert.Converter;
|
||||
import javax.faces.el.ValueBinding;
|
||||
|
||||
import org.alfresco.util.URLEncoder;
|
||||
|
||||
/**
|
||||
* Component that simply renders text
|
||||
*
|
||||
@@ -139,7 +140,7 @@ public class UIOutputText extends UIOutput
|
||||
|
||||
if (isEncodeForJavaScript())
|
||||
{
|
||||
out.write( URLEncoder.encode((String)getValue(), "UTF-8").replace('+', ' ') );
|
||||
out.write( URLEncoder.encode((String)getValue()) );
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@@ -25,7 +25,6 @@
|
||||
package org.alfresco.web.ui.repo.component;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.URLEncoder;
|
||||
import java.util.HashSet;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
@@ -43,6 +42,7 @@ import javax.faces.el.ValueBinding;
|
||||
import org.alfresco.config.Config;
|
||||
import org.alfresco.error.AlfrescoRuntimeException;
|
||||
import org.alfresco.service.cmr.repository.NodeRef;
|
||||
import org.alfresco.util.URLEncoder;
|
||||
import org.alfresco.web.app.Application;
|
||||
import org.alfresco.web.bean.repository.Node;
|
||||
import org.alfresco.web.config.ActionsConfigElement;
|
||||
@@ -451,7 +451,7 @@ public class UIActions extends SelfRenderingComponent
|
||||
{
|
||||
// found a Path - encode it as a URL argument
|
||||
scriptHref.append("?scriptPath=");
|
||||
scriptHref.append(Utils.replace(URLEncoder.encode(actionDef.Script, "UTF-8"), "+", "%20"));
|
||||
scriptHref.append(URLEncoder.encode(actionDef.Script));
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user