From cc09b52b5cb1c93543d8b4353dfc59b8192e79af Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Sun, 26 Nov 2017 21:04:51 +0100 Subject: add String escaping on same methods --- .../moa/id/auth/validator/parep/ParepUtils.java | 36 +++++++++++----------- .../oauth20/protocol/OAuth20AuthAction.java | 2 +- .../ssotransfer/servlet/SSOTransferServlet.java | 7 ++--- 3 files changed, 22 insertions(+), 23 deletions(-) (limited to 'id/server/modules') diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java index 09c64c267..7bb07df74 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java @@ -94,24 +94,24 @@ public class ParepUtils { return str == null || "".equals(str); } - /** - * Reads a XML document from an input stream (namespace-aware). - * - * @param is - * the input stream to read from. - * @return the read XML document. - * @throws SZRGWClientException - * if an error occurs reading the document from the input stream. - */ - public static Document readDocFromIs(InputStream is) throws SZRGWClientException { - try { - DocumentBuilderFactory f = DocumentBuilderFactory.newInstance(); - f.setNamespaceAware(true); - return f.newDocumentBuilder().parse(is); - } catch (Exception e) { - throw new SZRGWClientException(e); - } - } +// /** +// * Reads a XML document from an input stream (namespace-aware). +// * +// * @param is +// * the input stream to read from. +// * @return the read XML document. +// * @throws SZRGWClientException +// * if an error occurs reading the document from the input stream. +// */ +// public static Document readDocFromIs(InputStream is) throws SZRGWClientException { +// try { +// DocumentBuilderFactory f = DocumentBuilderFactory.newInstance(); +// f.setNamespaceAware(true); +// return f.newDocumentBuilder().parse(is); +// } catch (Exception e) { +// throw new SZRGWClientException(e); +// } +// } // /* // * diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java index b2522ea33..b7c54203f 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java @@ -71,7 +71,7 @@ class OAuth20AuthAction implements IAction { revisionsLogger.logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_AUTHREQUEST); - String code = Random.nextRandom(); + String code = Random.nextHexRandom32(); try { diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java index 7d1bfd7b9..a37beac70 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java @@ -50,6 +50,7 @@ import javax.security.cert.X509Certificate; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.BasicConstraints; import org.bouncycastle.asn1.x509.Extension; @@ -186,7 +187,7 @@ public class SSOTransferServlet{ Logger.debug("Receive " + this.getClass().getName() + " request"); Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN); if (tokenObj != null && tokenObj instanceof String) { - String token = (String)tokenObj; + String token = StringEscapeUtils.escapeHtml((String)tokenObj); try { Logger.debug("Load token:" + token + " from storage."); SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut * 1000); @@ -285,7 +286,7 @@ public class SSOTransferServlet{ Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN); if (tokenObj != null && tokenObj instanceof String) { - String token = (String)tokenObj; + String token = StringEscapeUtils.escapeHtml((String)tokenObj); try { SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut); if (container != null) { @@ -402,8 +403,6 @@ public class SSOTransferServlet{ null); if (ssomanager.isValidSSOSession(ssoid, null)) { - //Object createQRObj = req.getParameter(SSOTransferConstants.REQ_PARAM_GENERATE_QR); - //create first step of SSO Transfer GUI IAuthenticationSession authSession = authenticationSessionStorage.getInternalMOASessionWithSSOID(ssoid); -- cgit v1.2.3