inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged V3.4-BUG-FIX to HEAD

Browse Source 
28583: Merged DEV/TEMPORARY to V3.4-BUG-FIX
      28451: ALF-5601: WCM Reviewer should be able to modify 'Launch Date' of the review item.
         Allows to modify "wcmwf:launchDate" and "wcmwf:autoDeploy" property during task management.
   28591: ALF-9208: Site Service performance
   - Avoid going through protected node service to access nodes already retrieved by it! Permission checks showing up as main performance drain.
   - Optimized listMembersImpl to reduce the number of expensive calls to authorityService.getContainedAuthorities
   28592: ALF-9208: Another unnecessary secondary permission check in createSiteInfo
   28593: ALF-9208: Fix to permission evaluation in getSiteNodeRef()
   28624: Merged PATCHES/V3.1.2 to V3.4-BUG-FIX
      28622: ALF-9325: Merged V3.2 to PATCHES/V3.1.2
         17523: ETHREEOH-3337: Fix NPEs in RepoServerMgmt operations
            - Transactional cache can have entries with non-null keys and null values
   28625: Merged DEV/TEMPORARY to V3.4-BUG-FIX (with corrections)
      28621: ALF-9113: CommandServlet.java, line 179 (Header Manipulation)
         1. Reject absolute URLs
         2. Support request-relative URLs that resolve under request context root
   28635: Merged V3.4 to V3.4-BUG-FIX
      28560: ALF-9087: Missing dataTypeAnalyzers_ja.properties in V3.4
      28634: ALF-9249: Stop potential 'ping pong' between subsystems starting and stopping in a cluster
         - Regression introduced by ALF-8025 in Team / 3.4.3
         - Introduced PENDING_BROADCAST_START state, so that a start() after a successful setProperties() broadcasts only once
         - Also automatic subsystem stops aren't broadcast during subsystem export!
         - Happens if sysAdmin edits have been persisted as sysAdmin will already have been started before we get to loading its properties


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@28636 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Dave Ward
2011-06-27 23:41:56 +00:00
parent da95e18d72
commit 5c4c0dee08
2 changed files with 46 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
source/java/org/alfresco/web/app/servlet/CommandServlet.java
View File

@@ -20,6 +20,8 @@ package org.alfresco.web.app.servlet;
import java.io.IOException;
import java.io.PrintWriter;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
@@ -165,6 +167,7 @@ public class CommandServlet extends BaseServlet
String returnPage = req.getParameter(ARG_RETURNPAGE);
if (returnPage != null && returnPage.length() != 0)
{
validateReturnPage(returnPage, req);
if (logger.isDebugEnabled())
logger.debug("Redirecting to specified return page: " + returnPage);
@@ -192,6 +195,37 @@ public class CommandServlet extends BaseServlet
}
}
/**
* ALF-9113 CommandServlet.java, line 179 (Header Manipulation)
*
* Validates that the redirect page is within the current context.
*
* Examples of valid redirect pages:
* <ul>
* <li>/alfresco/faces/jsp/browse/browse.jsp</li>
* <li>../../browse/browse.jsp</li>
* </ul>
*
* @param pageUrl
* @param req
* @throws MalformedURLException
* @throws IllegalArgumentException
*/
private void validateReturnPage(String pageUrl, HttpServletRequest req) throws MalformedURLException
{
if (pageUrl.indexOf(':') != -1)
{
// ':' only allowed in a URL as part of a scheme prefix
throw new IllegalArgumentException("The redirect URL doesn't support absolute URls");
}
// Evaluate it relative to the request URL and strip out .. and .
pageUrl = new URL(new URL(req.getRequestURL().toString()), pageUrl).getPath();
if (!pageUrl.startsWith(req.getContextPath()))
{
throw new IllegalArgumentException("The redirect URL must be in the same context.");
}
}
/**
* Created the specified CommandProcessor instance. The name of the processor is looked up
* in the client config, it should find a valid class impl and then create it.