inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-07-31 17:39:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

REPO-4550 / MNT-20200: Improper neutralization of script-related HTML tags (#315)

Browse Source 
* Remove the login link from the Kerberos failed login page
* Fix class headers.
This commit is contained in:
Ancuta Morarasu
2019-08-07 10:54:25 +03:00
committed by GitHub
parent 6122ecb659
commit b21ff5d4c2
8 changed files with 45 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/main/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java
View File

@@ -580,17 +580,14 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
{
resp.setContentType(MIME_HTML_TEXT);
final PrintWriter out = resp.getWriter();
out.println("<html><head>");
// Remove the auto refresh to avoid refresh loop, MNT-16931
// out.println("<meta http-equiv=\"Refresh\" content=\"0; url=" +
// req.getContextPath() + getLoginPageLink() +
// "\">");
out.println("</head><body><p>Please <a href=\"" +
req.getContextPath() + "/faces" + getLoginPage() +
"\">log in</a>.</p>");
out.println("</body></html>");
out.close();
try (PrintWriter out = resp.getWriter())
{
out.println("<html><head>");
// Removed the auto refresh to avoid refresh loop, MNT-16931
// Removed the link to the login page, MNT-20200
out.println("</head><body><p>Login failed. Please try again.</p>");
out.println("</body></html>");
}
}
}

18
src/main/java/org/alfresco/repo/webdav/auth/KerberosAuthenticationFilter.java
View File

@@ -2,7 +2,7 @@
* #%L
* Alfresco Remote API
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* Copyright (C) 2005 - 2019 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
@@ -90,16 +90,18 @@ public class KerberosAuthenticationFilter extends BaseKerberosAuthenticationFilt
* @param resp HttpServletResponse
* @throws IOException
*/
@Override
protected void writeLoginPageLink(ServletContext context, HttpServletRequest req, HttpServletResponse resp) throws IOException
{
resp.setContentType(MIME_HTML_TEXT);
final PrintWriter out = resp.getWriter();
out.println("<html><head>");
// Remove the auto refresh to avoid refresh loop, MNT-16931
// out.println("<meta http-equiv=\"Refresh\" content=\"0; url=" + req.getContextPath() + "/webdav\">");
out.println("</head><body><p>Please <a href=\"" + req.getContextPath() + getLoginPageLink() +"\">log in</a>.</p>");
out.println("</body></html>");
out.close();
try (PrintWriter out = resp.getWriter())
{
out.println("<html><head>");
// Removed the auto refresh to avoid refresh loop, MNT-16931
// Removed the link to the login page, MNT-20200
out.println("</head><body><p>Login failed. Please try again.</p>");
out.println("</body></html>");
}
}
}

4
src/main/java/org/alfresco/web/app/servlet/AlfrescoX509ServletFilter.java
View File

@@ -1,8 +1,8 @@
/*
* #%L
* Alfresco Repository WAR Community
* Alfresco Remote API
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* Copyright (C) 2005 - 2019 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of

16
src/main/java/org/alfresco/web/app/servlet/CORSContextListener.java
View File

@@ -1,24 +1,24 @@
/*
* #%L
* Alfresco Repository WAR Community
* Alfresco Remote API
* %%
* Copyright (C) 2005 - 2018 Alfresco Software Limited
* Copyright (C) 2005 - 2019 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
* the paid license agreement will prevail. Otherwise, the software is
* provided under the following open source license terms:
*
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
* #L%

4
src/main/java/org/alfresco/web/app/servlet/GlobalLocalizationFilter.java
View File

@@ -1,8 +1,8 @@
/*
* #%L
* Alfresco Repository WAR Community
* Alfresco Remote API
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* Copyright (C) 2005 - 2019 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of

33
src/main/java/org/alfresco/web/app/servlet/KerberosAuthenticationFilter.java
View File

@@ -1,8 +1,8 @@
/*
* #%L
* Alfresco Repository WAR Community
* Alfresco Remote API
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* Copyright (C) 2005 - 2019 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of
@@ -78,17 +78,6 @@ public class KerberosAuthenticationFilter extends BaseKerberosAuthenticationFilt
redirectToLoginPage(req, res);
}
/* (non-Javadoc)
* @see org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter#onLoginComplete(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
*/
@Override
protected boolean onLoginComplete(ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean userInit)
throws IOException
{
String requestURI = req.getRequestURI();
return true;
}
/* (non-Javadoc)
* @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#writeLoginPageLink(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
*/
@@ -96,17 +85,17 @@ public class KerberosAuthenticationFilter extends BaseKerberosAuthenticationFilt
protected void writeLoginPageLink(ServletContext context, HttpServletRequest req, HttpServletResponse resp)
throws IOException
{
String redirectURL = req.getRequestURI();
resp.setContentType("text/html; charset=UTF-8");
resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
final PrintWriter out = resp.getWriter();
out.println("<html><head>");
// Remove the auto refresh to avoid refresh loop, MNT-16931
// out.println("<meta http-equiv=\"Refresh\" content=\"0; url=" + redirectURL + "\">");
out.println("</head><body><p>Please <a href=\"" + redirectURL + "\">log in</a>.</p>");
out.println("</body></html>");
out.close();
try (PrintWriter out = resp.getWriter())
{
out.println("<html><head>");
// Removed the auto refresh to avoid refresh loop, MNT-16931
// Removed the link to the login page, MNT-20200
out.println("</head><body><p>Login failed. Please try again.</p>");
out.println("</body></html>");
}
}
/* (non-Javadoc)

4
src/main/java/org/alfresco/web/app/servlet/WebScriptSSOAuthenticationFilter.java
View File

@@ -1,8 +1,8 @@
/*
* #%L
* Alfresco Repository WAR Community
* Alfresco Remote API
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* Copyright (C) 2005 - 2019 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of

4
src/main/java/org/alfresco/web/app/servlet/WebscriptCookieAuthenticationFilter.java
View File

@@ -1,8 +1,8 @@
/*
* #%L
* Alfresco Repository WAR Community
* Alfresco Remote API
* %%
* Copyright (C) 2005 - 2016 Alfresco Software Limited
* Copyright (C) 2005 - 2019 Alfresco Software Limited
* %%
* This file is part of the Alfresco software.
* If the software was purchased under a paid Alfresco license, the terms of