From e392f06a8e1920e4404f11f74c8f51795ad590a6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 27 Nov 2017 15:33:37 +0100 Subject: add some more escaptions --- .../configuration/struts/action/IndexAction.java | 32 +++++----------------- 1 file changed, 7 insertions(+), 25 deletions(-) (limited to 'id/ConfigWebTool/src/main') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java index df1786402..bf75a3068 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java @@ -39,7 +39,6 @@ import org.apache.log4j.Logger; import org.joda.time.DateTime; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; -import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeStatement; @@ -51,34 +50,18 @@ import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.Subject; import org.opensaml.saml2.encryption.Decrypter; import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.security.MetadataCredentialResolver; -import org.opensaml.security.MetadataCredentialResolverFactory; -import org.opensaml.security.MetadataCriteria; -import org.opensaml.security.SAMLSignatureProfileValidator; import org.opensaml.ws.transport.http.HttpServletRequestAdapter; import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; import org.opensaml.xml.parse.BasicParserPool; -import org.opensaml.xml.security.CriteriaSet; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.criteria.EntityIDCriteria; -import org.opensaml.xml.security.criteria.UsageCriteria; -import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver; -import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; -import org.opensaml.xml.security.keyinfo.KeyInfoProvider; import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; -import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider; -import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider; -import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider; import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter; import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine; -import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; +import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException; @@ -86,7 +69,6 @@ import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; import at.gv.egovernment.moa.id.configuration.auth.AuthenticationManager; import at.gv.egovernment.moa.id.configuration.auth.pvp2.PVP2Utils; -import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom; import at.gv.egovernment.moa.id.configuration.exception.BasicActionException; import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper; @@ -160,7 +142,7 @@ public class IndexAction extends BasicAction { if (MiscUtil.isNotEmpty(username)) { if (ValidationHelper.containsNotValidCharacter(username, false)) { - log.warn("Username contains potentail XSS characters: " + username); + log.warn("Username contains potentail XSS characters: " + StringEscapeUtils.escapeHtml(username)); addActionError(LanguageHelper.getErrorString("validation.edituser.username.valid", new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); return Constants.STRUTS_ERROR; @@ -197,13 +179,13 @@ public class IndexAction extends BasicAction { dbuser.setIsUsernamePasswordAllowed(true); if (!dbuser.isIsActive() || !dbuser.isIsUsernamePasswordAllowed()) { - log.warn("Username " + dbuser.getUsername() + " is not active or Username/Password login is not allowed"); + log.warn("Username " + StringEscapeUtils.escapeHtml(dbuser.getUsername()) + " is not active or Username/Password login is not allowed"); addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed", request)); return Constants.STRUTS_ERROR; } if (!dbuser.getPassword().equals(key)) { - log.warn("Username " + dbuser.getUsername() + " use a false password"); + log.warn("Username " + StringEscapeUtils.escapeHtml(dbuser.getUsername()) + " use a false password"); addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed", request)); return Constants.STRUTS_ERROR; } @@ -615,7 +597,7 @@ public class IndexAction extends BasicAction { check = user.getInstitut(); if (MiscUtil.isNotEmpty(check)) { if (ValidationHelper.containsNotValidCharacter(check, false)) { - log.warn("Organisation contains potentail XSS characters: " + check); + log.warn("Organisation contains potentail XSS characters: " + StringEscapeUtils.escapeHtml(check)); addActionError(LanguageHelper.getErrorString("validation.edituser.institut.valid", new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } @@ -628,7 +610,7 @@ public class IndexAction extends BasicAction { check = user.getMail(); if (MiscUtil.isNotEmpty(check)) { if (!ValidationHelper.isEmailAddressFormat(check)) { - log.warn("Mailaddress is not valid: " + check); + log.warn("Mailaddress is not valid: " + StringEscapeUtils.escapeHtml(check)); addActionError(LanguageHelper.getErrorString("validation.edituser.mail.valid", new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } @@ -640,7 +622,7 @@ public class IndexAction extends BasicAction { check = user.getPhone(); if (MiscUtil.isNotEmpty(check)) { if (!ValidationHelper.validatePhoneNumber(check)) { - log.warn("No valid Phone Number: " + check); + log.warn("No valid Phone Number: " + StringEscapeUtils.escapeHtml(check)); addActionError(LanguageHelper.getErrorString("validation.edituser.phone.valid", new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } -- cgit v1.2.3