inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'feature/RM-5345_Fix_security_issues' into 'master'

Browse Source 
Feature/rm 5345 fix security issues

See merge request !374
This commit is contained in:
Tuna Aksoy
2017-06-30 15:45:29 +01:00
parent 3e76025ee5 16ead6e811
commit a206c1e95e
6 changed files with 39 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/audit/RecordsManagementAuditServiceImpl.java
View File

@@ -773,12 +773,12 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
{
ParameterCheck.mandatory("params", params);
Writer fileWriter = null;
try
File auditTrailFile = TempFileProvider.createTempFile(AUDIT_TRAIL_FILE_PREFIX,
format == ReportFormat.HTML ? AUDIT_TRAIL_HTML_FILE_SUFFIX : AUDIT_TRAIL_JSON_FILE_SUFFIX);
try (FileOutputStream fileOutputStream = new FileOutputStream(auditTrailFile);
Writer fileWriter = new BufferedWriter(new OutputStreamWriter(fileOutputStream,"UTF8"));)
{
File auditTrailFile = TempFileProvider.createTempFile(AUDIT_TRAIL_FILE_PREFIX,
format == ReportFormat.HTML ? AUDIT_TRAIL_HTML_FILE_SUFFIX : AUDIT_TRAIL_JSON_FILE_SUFFIX);
fileWriter = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(auditTrailFile),"UTF8"));
// Get the results, dumping to file
getAuditTrailImpl(params, null, fileWriter, format);
// Done
@@ -788,14 +788,6 @@ public class RecordsManagementAuditServiceImpl extends AbstractLifecycleBean
{
throw new AlfrescoRuntimeException(MSG_TRAIL_FILE_FAIL, e);
}
finally
{
// close the writer
if (fileWriter != null)
{
try { fileWriter.close(); } catch (IOException closeEx) {}
}
}
}
/**

10
rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMAfterInvocationProvider.java
View File

@@ -37,6 +37,7 @@ import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
import org.alfresco.repo.search.SimpleResultSetMetaData;
import org.alfresco.repo.search.impl.lucene.PagingLuceneResultSet;
@@ -172,7 +173,12 @@ public class RMAfterInvocationProvider extends RMSecurityCommon
}
else if (StoreRef.class.isAssignableFrom(returnedObject.getClass()))
{
return decide(authentication, object, config, nodeService.getRootNode((StoreRef) returnedObject)).getStoreRef();
NodeRef rootNodeRef = decide(authentication, object, config, nodeService.getRootNode((StoreRef) returnedObject));
if (rootNodeRef == null)
{
throw new AlfrescoRuntimeException("Root node reference of '" + returnedObject + "' is null.");
}
return rootNodeRef.getStoreRef();
}
else if (NodeRef.class.isAssignableFrom(returnedObject.getClass()))
{
@@ -208,7 +214,7 @@ public class RMAfterInvocationProvider extends RMSecurityCommon
}
else
{
if (logger.isDebugEnabled())
if (logger.isDebugEnabled() && object != null)
{
logger.debug("Uncontrolled object - access allowed for " + object.getClass().getName());
}

38
rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/script/ApplyDodCertModelFixesGet.java
View File

@@ -51,8 +51,8 @@ import org.alfresco.service.cmr.repository.ContentService;
import org.alfresco.service.cmr.repository.ContentWriter;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.namespace.NamespaceService;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.extensions.webscripts.Cache;
import org.springframework.extensions.webscripts.DeclarativeWebScript;
import org.springframework.extensions.webscripts.Status;
@@ -81,7 +81,7 @@ public class ApplyDodCertModelFixesGet extends DeclarativeWebScript
private static final String RMC_CUSTOM_RECORD_PROPERTIES = RecordsManagementCustomModel.RM_CUSTOM_PREFIX + ":customRecordProperties";
/** Logger */
private static Log logger = LogFactory.getLog(ApplyDodCertModelFixesGet.class);
private static final Logger LOGGER = LoggerFactory.getLogger(ApplyDodCertModelFixesGet.class);
private ContentService contentService;
private NamespaceService namespaceService;
@@ -99,12 +99,15 @@ public class ApplyDodCertModelFixesGet extends DeclarativeWebScript
@Override
public Map<String, Object> executeImpl(WebScriptRequest req, Status status, Cache cache)
{
if (logger.isInfoEnabled())
{
logger.info("Applying webscript-based patches to RM custom model in the repo.");
}
LOGGER.info("Applying webscript-based patches to RM custom model in the repo.");
M2Model customModel = readCustomContentModel();
if (customModel == null)
{
final String msg = "Custom content model could not be read";
LOGGER.error(msg);
throw new AlfrescoRuntimeException(msg);
}
String customAspectName = ASPECT_CUSTOM_ASSOCIATIONS.toPrefixString(namespaceService);
M2Aspect customAssocsAspect = customModel.getAspect(customAspectName);
@@ -112,19 +115,12 @@ public class ApplyDodCertModelFixesGet extends DeclarativeWebScript
if (customAssocsAspect == null)
{
final String msg = "Unknown aspect: " + customAspectName;
if (logger.isErrorEnabled())
{
logger.error(msg);
}
LOGGER.error(msg);
throw new AlfrescoRuntimeException(msg);
}
// MOB-1573. All custom references should have many-many multiplicity.
if (logger.isInfoEnabled())
{
logger.info("MOB-1573. All custom references should have many-many multiplicity.");
}
LOGGER.info("MOB-1573. All custom references should have many-many multiplicity.");
for (M2ClassAssociation classAssoc : customAssocsAspect.getAssociations())
{
@@ -134,10 +130,7 @@ public class ApplyDodCertModelFixesGet extends DeclarativeWebScript
}
//MOB-1621. Custom fields should be created as untokenized by default.
if (logger.isInfoEnabled())
{
logger.info("MOB-1621. Custom fields should be created as untokenized by default.");
}
LOGGER.info("MOB-1621. Custom fields should be created as untokenized by default.");
List<String> allCustomPropertiesAspects = new ArrayList<String>(4);
allCustomPropertiesAspects.add(RMC_CUSTOM_RECORD_SERIES_PROPERTIES);
@@ -160,10 +153,7 @@ public class ApplyDodCertModelFixesGet extends DeclarativeWebScript
writeCustomContentModel(customModel);
if (logger.isInfoEnabled())
{
logger.info("Completed application of webscript-based patches to RM custom model in the repo.");
}
LOGGER.info("Completed application of webscript-based patches to RM custom model in the repo.");
Map<String, Object> model = new HashMap<String, Object>(1, 1.0f);
model.put("success", true);

4
rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/script/ApplyFixMob1573Get.java
View File

@@ -83,6 +83,10 @@ public class ApplyFixMob1573Get extends DeclarativeWebScript
public Map<String, Object> executeImpl(WebScriptRequest req, Status status, Cache cache)
{
M2Model customModel = readCustomContentModel();
if (customModel == null)
{
throw new AlfrescoRuntimeException("Custom content model could not be read");
}
// Go through every custom reference defined in the custom model and make sure that it
// has many-to-many multiplicity

16
rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/script/TransferReportGet.java
View File

@@ -126,8 +126,10 @@ public class TransferReportGet extends BaseTransferWebScript
File generateJSONTransferReport(NodeRef transferNode) throws IOException
{
File report = TempFileProvider.createTempFile(REPORT_FILE_PREFIX, REPORT_FILE_SUFFIX);
Writer writer = null;
try
// create the writer
try (FileOutputStream fileOutputStream = new FileOutputStream(report);
Writer writer = new OutputStreamWriter(fileOutputStream, Charset.forName("UTF-8"));)
{
// get all 'transferred' nodes
NodeRef[] itemsToTransfer = getTransferNodes(transferNode);
@@ -138,9 +140,6 @@ public class TransferReportGet extends BaseTransferWebScript
" items into file: " + report.getAbsolutePath());
}
// create the writer
writer = new OutputStreamWriter(new FileOutputStream(report), Charset.forName("UTF-8"));
// use RMService to get disposition authority
String dispositionAuthority = null;
if (itemsToTransfer.length > 0)
@@ -170,13 +169,6 @@ public class TransferReportGet extends BaseTransferWebScript
// write the JSON footer
writer.write("\n\t\t]\n\t}\n}");
}
finally
{
if (writer != null)
{
try { writer.close(); } catch (IOException ioe) {}
}
}
return report;
}

16
rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/script/TransferReportPost.java
View File

@@ -234,8 +234,10 @@ public class TransferReportPost extends BaseTransferWebScript
File generateHTMLTransferReport(NodeRef transferNode) throws IOException
{
File report = TempFileProvider.createTempFile(REPORT_FILE_PREFIX, REPORT_FILE_SUFFIX);
Writer writer = null;
try
// create the writer
try (FileOutputStream fileOutputStream = new FileOutputStream(report) ;
Writer writer = new OutputStreamWriter(fileOutputStream, Charset.forName("UTF-8"));)
{
// get all 'transferred' nodes
NodeRef[] itemsToTransfer = getTransferNodes(transferNode);
@@ -246,9 +248,6 @@ public class TransferReportPost extends BaseTransferWebScript
" items into file: " + report.getAbsolutePath());
}
// create the writer
writer = new OutputStreamWriter(new FileOutputStream(report), Charset.forName("UTF-8"));
// use RMService to get disposition authority
String dispositionAuthority = null;
if (itemsToTransfer.length > 0)
@@ -322,13 +321,6 @@ public class TransferReportPost extends BaseTransferWebScript
// write the HTML footer
writer.write("</body></html>");
}
finally
{
if (writer != null)
{
try { writer.close(); } catch (IOException ioe) {}
}
}
return report;
}