REPO-4550 / MNT-20200: Improper neutralization of script-related HTML tags (#315)

* Remove the login link from the Kerberos failed login page * Fix class headers.
2025-07-31 17:39:05 +00:00 · 2019-08-07 10:54:25 +03:00
parent 6122ecb659
commit b21ff5d4c2
8 changed files with 45 additions and 57 deletions
--- a/src/main/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java
+++ b/src/main/java/org/alfresco/repo/webdav/auth/BaseSSOAuthenticationFilter.java
@@ -580,17 +580,14 @@ public abstract class BaseSSOAuthenticationFilter extends BaseAuthenticationFilt
        {
            resp.setContentType(MIME_HTML_TEXT);
-            final PrintWriter out = resp.getWriter();
+            try (PrintWriter out = resp.getWriter())
-            out.println("<html><head>");
+            {
-            // Remove the auto refresh to avoid refresh loop, MNT-16931
+                out.println("<html><head>");
-//            out.println("<meta http-equiv=\"Refresh\" content=\"0; url=" +
+                // Removed the auto refresh to avoid refresh loop, MNT-16931
-//                    req.getContextPath() + getLoginPageLink() +
+                // Removed the link to the login page, MNT-20200
-//                    "\">");
+                out.println("</head><body><p>Login failed. Please try again.</p>");
-            out.println("</head><body><p>Please <a href=\"" +
+                out.println("</body></html>");
-                    req.getContextPath() + "/faces" + getLoginPage() +
+            }
                    "\">log in</a>.</p>");
            out.println("</body></html>");
            out.close();
        }
    }
--- a/src/main/java/org/alfresco/repo/webdav/auth/KerberosAuthenticationFilter.java
+++ b/src/main/java/org/alfresco/repo/webdav/auth/KerberosAuthenticationFilter.java
@@ -2,7 +2,7 @@
 * #%L
 * Alfresco Remote API
 * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2019 Alfresco Software Limited
 * %%
 * This file is part of the Alfresco software. 
 * If the software was purchased under a paid Alfresco license, the terms of 
@@ -90,16 +90,18 @@ public class KerberosAuthenticationFilter extends BaseKerberosAuthenticationFilt
     * @param resp HttpServletResponse
     * @throws IOException
     */
    @Override
    protected void writeLoginPageLink(ServletContext context, HttpServletRequest req, HttpServletResponse resp) throws IOException
    {
        resp.setContentType(MIME_HTML_TEXT);
-        final PrintWriter out = resp.getWriter();
+        try (PrintWriter out = resp.getWriter())
-        out.println("<html><head>");
+        {
-        // Remove the auto refresh to avoid refresh loop, MNT-16931
+            out.println("<html><head>");
-//        out.println("<meta http-equiv=\"Refresh\" content=\"0; url=" + req.getContextPath() + "/webdav\">");
+            // Removed the auto refresh to avoid refresh loop, MNT-16931
-        out.println("</head><body><p>Please <a href=\"" + req.getContextPath() + getLoginPageLink() +"\">log in</a>.</p>");
+            // Removed the link to the login page, MNT-20200
-        out.println("</body></html>");
+            out.println("</head><body><p>Login failed. Please try again.</p>");
-        out.close();
+            out.println("</body></html>");
        }
    }
 }
--- a/src/main/java/org/alfresco/web/app/servlet/AlfrescoX509ServletFilter.java
+++ b/src/main/java/org/alfresco/web/app/servlet/AlfrescoX509ServletFilter.java
@@ -1,8 +1,8 @@
 /*
 * #%L
- * Alfresco Repository WAR Community
+ * Alfresco Remote API
 * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2019 Alfresco Software Limited
 * %%
 * This file is part of the Alfresco software. 
 * If the software was purchased under a paid Alfresco license, the terms of 
--- a/src/main/java/org/alfresco/web/app/servlet/CORSContextListener.java
+++ b/src/main/java/org/alfresco/web/app/servlet/CORSContextListener.java
@@ -1,24 +1,24 @@
 /*
 * #%L
- * Alfresco Repository WAR Community
+ * Alfresco Remote API
 * %%
- * Copyright (C) 2005 - 2018 Alfresco Software Limited
+ * Copyright (C) 2005 - 2019 Alfresco Software Limited
 * %%
- * This file is part of the Alfresco software.
+ * This file is part of the Alfresco software. 
- * If the software was purchased under a paid Alfresco license, the terms of
+ * If the software was purchased under a paid Alfresco license, the terms of 
- * the paid license agreement will prevail.  Otherwise, the software is
+ * the paid license agreement will prevail.  Otherwise, the software is 
 * provided under the following open source license terms:
- *
+ * 
 * Alfresco is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
- *
+ * 
 * Alfresco is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
- *
+ * 
 * You should have received a copy of the GNU Lesser General Public License
 * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
 * #L%
--- a/src/main/java/org/alfresco/web/app/servlet/GlobalLocalizationFilter.java
+++ b/src/main/java/org/alfresco/web/app/servlet/GlobalLocalizationFilter.java
@@ -1,8 +1,8 @@
 /*
 * #%L
- * Alfresco Repository WAR Community
+ * Alfresco Remote API
 * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2019 Alfresco Software Limited
 * %%
 * This file is part of the Alfresco software. 
 * If the software was purchased under a paid Alfresco license, the terms of 
--- a/src/main/java/org/alfresco/web/app/servlet/KerberosAuthenticationFilter.java
+++ b/src/main/java/org/alfresco/web/app/servlet/KerberosAuthenticationFilter.java
@@ -1,8 +1,8 @@
 /*
 * #%L
- * Alfresco Repository WAR Community
+ * Alfresco Remote API
 * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2019 Alfresco Software Limited
 * %%
 * This file is part of the Alfresco software. 
 * If the software was purchased under a paid Alfresco license, the terms of 
@@ -78,17 +78,6 @@ public class KerberosAuthenticationFilter extends BaseKerberosAuthenticationFilt
    	redirectToLoginPage(req, res);
    }
    /* (non-Javadoc)
     * @see org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter#onLoginComplete(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
     */
    @Override
    protected boolean onLoginComplete(ServletContext sc, HttpServletRequest req, HttpServletResponse res, boolean userInit)
        throws IOException
    {
        String requestURI = req.getRequestURI();
        return true;
    }
    /* (non-Javadoc)
     * @see org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter#writeLoginPageLink(javax.servlet.ServletContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
     */
@@ -96,17 +85,17 @@ public class KerberosAuthenticationFilter extends BaseKerberosAuthenticationFilt
    protected void writeLoginPageLink(ServletContext context, HttpServletRequest req, HttpServletResponse resp)
            throws IOException
    {
        String redirectURL = req.getRequestURI();
        resp.setContentType("text/html; charset=UTF-8");
        resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-
+        
-        final PrintWriter out = resp.getWriter();
+        try (PrintWriter out = resp.getWriter())
-        out.println("<html><head>");
+        {
-        // Remove the auto refresh to avoid refresh loop, MNT-16931
+            out.println("<html><head>");
-//         out.println("<meta http-equiv=\"Refresh\" content=\"0; url=" + redirectURL + "\">");
+            // Removed the auto refresh to avoid refresh loop, MNT-16931
-        out.println("</head><body><p>Please <a href=\"" + redirectURL + "\">log in</a>.</p>");
+            // Removed the link to the login page, MNT-20200
-        out.println("</body></html>");
+            out.println("</head><body><p>Login failed. Please try again.</p>");
-        out.close();
+            out.println("</body></html>");
        }
    }
    /* (non-Javadoc)
--- a/src/main/java/org/alfresco/web/app/servlet/WebScriptSSOAuthenticationFilter.java
+++ b/src/main/java/org/alfresco/web/app/servlet/WebScriptSSOAuthenticationFilter.java
@@ -1,8 +1,8 @@
 /*
 * #%L
- * Alfresco Repository WAR Community
+ * Alfresco Remote API
 * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2019 Alfresco Software Limited
 * %%
 * This file is part of the Alfresco software. 
 * If the software was purchased under a paid Alfresco license, the terms of 
--- a/src/main/java/org/alfresco/web/app/servlet/WebscriptCookieAuthenticationFilter.java
+++ b/src/main/java/org/alfresco/web/app/servlet/WebscriptCookieAuthenticationFilter.java
@@ -1,8 +1,8 @@
 /*
 * #%L
- * Alfresco Repository WAR Community
+ * Alfresco Remote API
 * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * Copyright (C) 2005 - 2019 Alfresco Software Limited
 * %%
 * This file is part of the Alfresco software. 
 * If the software was purchased under a paid Alfresco license, the terms of