diff options
author | mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> | 2010-01-19 07:37:59 +0000 |
---|---|---|
committer | mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> | 2010-01-19 07:37:59 +0000 |
commit | a5743a4e7157cb115cb1564d9327a426afac5ee0 (patch) | |
tree | 75c71ec5fa5cbd61d58a660c324be1fb0466df83 /BKUOnline/src | |
parent | 678f2d84046c8e3ab7abe459d984868d4c9d2a3c (diff) | |
download | mocca-a5743a4e7157cb115cb1564d9327a426afac5ee0.tar.gz mocca-a5743a4e7157cb115cb1564d9327a426afac5ee0.tar.bz2 mocca-a5743a4e7157cb115cb1564d9327a426afac5ee0.zip |
Fixes XSS vulnerability.
git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@577 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
Diffstat (limited to 'BKUOnline/src')
-rw-r--r-- | BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java | 176 | ||||
-rw-r--r-- | BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml | 83 |
2 files changed, 183 insertions, 76 deletions
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java index f6d7a50c..7dfec211 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java @@ -19,10 +19,17 @@ package at.gv.egiz.bku.online.webapp; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; +import java.net.MalformedURLException; +import java.net.URI; +import java.net.URISyntaxException; +import java.net.URL; +import java.net.URLEncoder; +import java.util.Arrays; import java.util.Enumeration; import java.util.HashMap; import java.util.Locale; import java.util.Map; +import java.util.regex.Pattern; import javax.servlet.RequestDispatcher; import javax.servlet.ServletException; @@ -46,10 +53,35 @@ import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage; */ public class BKURequestHandler extends SpringBKUServlet { + private static final long serialVersionUID = 1L; + public static final String APPLET_PAGE_P = "appletPage"; public static final String APPLET_PAGE_DEFAULT = "BKUApplet"; - - private static final long serialVersionUID = 1L; + + public static final String PARAM_APPLET_WIDTH = "appletWidth"; + public static final String ATTR_APPLET_WIDTH = "appletWidth"; + + public static final String PARAM_APPLET_HEIGHT = "appletHeight"; + public static final String ATTR_APPLET_HEIGHT = "appletHeight"; + + public static final String PARAM_APPLET_BACKGROUND = "appletBackground"; + public static final String ATTR_APPLET_BACKGROUND = "appletBackground"; + + public static final String PARAM_APPLET_BACKGROUND_COLOR = "appletBackgroundColor"; + public static final String ATTR_APPLET_BACKGROUND_COLOR = "appletBackgroundColor"; + public static final Pattern PATTERM_APPLET_BACKGROUND_COLOR = Pattern.compile("\\#[0-9a-fA-F]{6}"); + + public static final String PARAM_APPLET_GUI_STYLE = "appletGuiStyle"; + public static final String ATTR_APPLET_GUI_STYLE = "appletGuiStyle"; + public static final String[] VALUES_APPLET_GUI_STYLE = new String[] {"tiny", "simple", "advanced"}; + + public static final String PARAM_APPLET_EXTENSION = "appletExtension"; + public static final String ATTR_APPLET_EXTENSION = "appletExtension"; + public static final String[] VALUES_APPLET_EXTENSION = new String[] {"pin", "activation"}; + + public static final String PARAM_LOCALE = "locale"; + public static final String ATTR_LOCALE = "locale"; + public static final Pattern PATTERN_LOCALE = Pattern.compile("[a-zA-Z][a-zA-Z](_[a-zA-Z][a-zA-Z]){0,2}"); public final static String REDIRECT_URL_SESSION_ATTRIBUTE = "redirectUrl"; @@ -124,69 +156,127 @@ public class BKURequestHandler extends SpringBKUServlet { log.trace("Trying to find applet parameters in request"); + // appletWidth String width = getStringFromStream(bindingProcessor - .getFormData("appletWidth"), charset); - String height = getStringFromStream(bindingProcessor - .getFormData("appletHeight"), charset); - String background = getStringFromStream(bindingProcessor - .getFormData("appletBackground"), charset); - String backgroundColor = getStringFromStream(bindingProcessor - .getFormData("appletBackgroundColor"), charset); - String guiStyle = getStringFromStream(bindingProcessor - .getFormData("appletGuiStyle"), charset); - String hashDataDisplay = getStringFromStream(bindingProcessor - .getFormData("appletHashDataDisplay"), charset); - String localeFormParam = getStringFromStream(bindingProcessor - .getFormData("locale"), charset); - String extension = getStringFromStream(bindingProcessor - .getFormData("appletExtension"), charset); - + .getFormData(PARAM_APPLET_WIDTH), charset); if (width != null) { try { - log.trace("Found applet width parameter: " + width); - int wI = Integer.parseInt(width); - session.setAttribute("appletWidth", wI); + // must be a valid integer + session.setAttribute(ATTR_APPLET_WIDTH, Integer.parseInt(width)); + log.trace("Found parameter " + PARAM_APPLET_WIDTH + "='" + width +"'."); } catch (NumberFormatException nfe) { - log.warn(nfe); + log.warn("Applet parameter " + PARAM_APPLET_WIDTH + + " does not contain a valid value.", nfe); } } + + // appletHeight + String height = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_HEIGHT), charset); if (height != null) { try { - log.trace("Found applet height parameter: " + height); - int hI = Integer.parseInt(height); - session.setAttribute("appletHeight", hI); + // must be a valid integer + session.setAttribute(ATTR_APPLET_HEIGHT, Integer.parseInt(height)); + log.trace("Found parameter " + PARAM_APPLET_HEIGHT + "='" + height + "'."); } catch (NumberFormatException nfe) { - log.warn(nfe); + log.warn("Applet parameter " + PARAM_APPLET_HEIGHT + + " does not contain a valid value.", nfe); } } + + // appletBackground + String background = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_BACKGROUND), charset); if (background != null) { - log.trace("Found applet background parameter: " + background); - session.setAttribute("appletBackground", background); + session.setAttribute(ATTR_APPLET_BACKGROUND, background); + try { + // must be a valid http or https URL + URI backgroundURL = new URI(background); + if ("http".equals(backgroundURL.getScheme()) + || "https".equals(backgroundURL.getScheme())) { + session.setAttribute(ATTR_APPLET_BACKGROUND, backgroundURL.toASCIIString()); + log.trace("Found parameter " + PARAM_APPLET_BACKGROUND + "='" + + backgroundURL.toASCIIString() + "'."); + } else { + log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND + "='" + + background + "' is not a valid http/https URL."); + } + } catch (URISyntaxException e) { + log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND + "='" + + background + "' is not a valid http/https URL.", e); + } } + + // appletBackgroundColor + String backgroundColor = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_BACKGROUND_COLOR), charset); if (backgroundColor != null) { - log.trace("Faund applet background color parameter: " + backgroundColor); - session.setAttribute("appletBackgroundColor", backgroundColor); + // must be a valid color definition + if (PATTERM_APPLET_BACKGROUND_COLOR.matcher(backgroundColor).matches()) { + session.setAttribute(ATTR_APPLET_BACKGROUND_COLOR, backgroundColor); + log.trace("Faund parameter " + PARAM_APPLET_BACKGROUND_COLOR + "='" + + backgroundColor + "'."); + } else { + log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND_COLOR + "='" + + backgroundColor + "' is not a valid color definition (must be of form '#hhhhhh')."); + } } + + // appletGuiStyle + String guiStyle = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_GUI_STYLE), charset); if (guiStyle != null) { - log.trace("Found applet GUI style parameter: " + guiStyle); - session.setAttribute("appletGuiStyle", guiStyle); - } - if (hashDataDisplay != null) { - log.trace("Found applet hash data display parameter: " + hashDataDisplay); - session.setAttribute("appletHashDataDisplay", hashDataDisplay); + // must be one of VALUES_APPLET_GUI_STYLE + String style = guiStyle.toLowerCase(); + if (Arrays.asList(VALUES_APPLET_GUI_STYLE).contains(style)) { + session.setAttribute(ATTR_APPLET_GUI_STYLE, style); + log.trace("Found parameter " + PARAM_APPLET_GUI_STYLE + "='" + + style + "'."); + } else { + StringBuilder sb = new StringBuilder(); + sb.append("Applet parameter ").append(PARAM_APPLET_GUI_STYLE).append( + "='").append(guiStyle).append("' is not valid (must be one of ") + .append(Arrays.toString(VALUES_APPLET_GUI_STYLE)).append(")."); + log.warn(sb); + } } - if (extension != null && !"".equals(extension)) { - log.trace("Found applet extension parameter: " + extension); - session.setAttribute("extension", extension); + + // appletExtension + String extension = getStringFromStream(bindingProcessor + .getFormData(PARAM_APPLET_EXTENSION), charset); + if (extension != null) { + // must be one of VALUES_APPLET_EXTENSION + String ext = extension.toLowerCase(); + if (Arrays.asList(VALUES_APPLET_EXTENSION).contains(ext)) { + session.setAttribute(ATTR_APPLET_EXTENSION, ext); + log.trace("Found parameter " + PARAM_APPLET_EXTENSION + "='" + + ext + "'."); + } else { + StringBuilder sb = new StringBuilder(); + sb.append("Applet parameter ").append(PARAM_APPLET_EXTENSION).append( + "='").append(extension).append("' is not valid (must be one of ") + .append(Arrays.toString(VALUES_APPLET_EXTENSION)).append(")."); + log.warn(sb); + } } + + // locale + String localeFormParam = getStringFromStream(bindingProcessor + .getFormData(PARAM_LOCALE), charset); if (localeFormParam != null) { - log.debug("overrule accept-language locale " + locale - + " with form param " + localeFormParam); - locale = new Locale(localeFormParam); + // must be a valid locale + if (PATTERN_LOCALE.matcher(localeFormParam).matches()) { + locale = new Locale(localeFormParam); + log.debug("Overrule accept-language header locale " + locale + + " with form param " + localeFormParam + "."); + } else { + log.warn("Parameter " + PARAM_LOCALE + "='" + localeFormParam + + "' is not a valid locale definition."); + } } if (locale != null) { log.debug("Using locale " + locale); - session.setAttribute("locale", locale.toString()); + session.setAttribute(ATTR_LOCALE, locale.toString()); } // handle server side redirect url after processing diff --git a/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml b/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml index 0324030e..fb3cae63 100644 --- a/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml +++ b/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml @@ -30,47 +30,64 @@ <bean id="slCommandFactory" class="at.gv.egiz.bku.slcommands.SLCommandFactory"
factory-method="getInstance">
- <property name="commandImpl">
- <map>
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:NullOperationRequest"
- value="at.gv.egiz.bku.slcommands.impl.NullOperationCommandImpl" />
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:InfoboxReadRequest"
- value="at.gv.egiz.bku.slcommands.impl.InfoboxReadCommandImpl" />
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:InfoboxUpdateRequest"
- value="at.gv.egiz.bku.slcommands.impl.InfoboxUpdateCommandImpl" />
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:CreateXMLSignatureRequest"
- value="at.gv.egiz.bku.slcommands.impl.CreateXMLSignatureCommandImpl" />
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:GetStatusRequest"
- value="at.gv.egiz.bku.slcommands.impl.GetStatusCommandImpl" />
- </map>
+ <property name="concreteFactories">
+ <map>
+ <entry key-ref="nullOperationRequest" value-ref="nullOperationCommandFactory"/>
+ <entry key-ref="infoboxReadRequest" value-ref="infoboxReadCommandFactory"/>
+ <entry key-ref="infoboxUpdateRequest" value-ref="infoboxUpdateCommandFactory"/>
+ <entry key-ref="createXMLSignatureRequest" value-ref="createXMLSignatureCommandFactory"/>
+ <entry key-ref="getStatusRequest" value-ref="getStatusCommandFactory"/>
+ </map>
</property>
</bean>
- <bean id="infoboxFactory" class="at.gv.egiz.bku.slcommands.impl.InfoboxFactory"
- factory-method="getInstance">
- <property name="infoboxImpl">
+ <bean id="nullOperationCommandFactory" class="at.gv.egiz.bku.slcommands.impl.NullOperationCommandFactory"/>
+ <bean id="nullOperationRequest" class="javax.xml.namespace.QName">
+ <constructor-arg value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#"/>
+ <constructor-arg value="NullOperationRequest"/>
+ </bean>
+ <bean id="infoboxReadCommandFactory" class="at.gv.egiz.bku.slcommands.impl.InfoboxReadCommandFactory">
+ <property name="infoboxFactory" ref="infoboxFactory"/>
+ </bean>
+ <bean id="infoboxReadRequest" class="javax.xml.namespace.QName">
+ <constructor-arg value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#"/>
+ <constructor-arg value="InfoboxReadRequest"/>
+ </bean>
+ <bean id="infoboxUpdateCommandFactory" class="at.gv.egiz.bku.slcommands.impl.InfoboxUpdateCommandFactory">
+ <property name="infoboxFactory" ref="infoboxFactory"/>
+ </bean>
+ <bean id="infoboxUpdateRequest" class="javax.xml.namespace.QName">
+ <constructor-arg value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#"/>
+ <constructor-arg value="InfoboxUpdateRequest"/>
+ </bean>
+ <bean id="createXMLSignatureCommandFactory" class="at.gv.egiz.bku.slcommands.impl.CreateXMLSignatureCommandFactory"/>
+ <bean id="createXMLSignatureRequest" class="javax.xml.namespace.QName">
+ <constructor-arg value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#"/>
+ <constructor-arg value="CreateXMLSignatureRequest"/>
+ </bean>
+ <bean id="getStatusCommandFactory" class="at.gv.egiz.bku.slcommands.impl.GetStatusCommandFactory"/>
+ <bean id="getStatusRequest" class="javax.xml.namespace.QName">
+ <constructor-arg value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#"/>
+ <constructor-arg value="GetStatusRequest"/>
+ </bean>
+
+ <bean id="infoboxFactory" class="at.gv.egiz.bku.slcommands.impl.InfoboxFactory">
+ <property name="infoboxFactories">
<map>
- <entry
- key="Certificates"
- value="at.gv.egiz.bku.slcommands.impl.CertificatesInfoboxImpl" />
- <entry
- key="IdentityLink"
- value="at.gv.egiz.bku.slcommands.impl.IdentityLinkInfoboxImpl" />
- <entry
- key="CardChannel"
- value="at.gv.egiz.bku.slcommands.impl.CardChannelInfoboxImpl" />
- <entry
- key="SV-Personendaten"
- value="at.gv.egiz.bku.slcommands.impl.SVPersonendatenInfoboxImpl" />
+ <entry key="Certificates" value-ref="certificatesInfoboxFactory"/>
+ <entry key="IdentityLink" value-ref="identityLinkInfoboxFactory"/>
+ <entry key="CardChannel" value-ref="cardChannelInfoboxFactory"/>
+ <entry key="SV-Personendaten" value-ref="svPersonendatenInfoboxFactory"/>
</map>
</property>
</bean>
+ <bean id="certificatesInfoboxFactory" class="at.gv.egiz.bku.slcommands.impl.CertificatesInfoboxFactory"/>
+ <bean id="identityLinkInfoboxFactory" class="at.gv.egiz.bku.slcommands.impl.IdentityLinkInfoboxFactory"/>
+ <bean id="cardChannelInfoboxFactory" class="at.gv.egiz.bku.slcommands.impl.CardChannelInfoboxFactory"/>
+ <bean id="svPersonendatenInfoboxFactory" class="at.gv.egiz.bku.slcommands.impl.SVPersonendatenInfoboxFactory"/>
+
+
<bean id="bindingProcessorManager" class="at.gv.egiz.bku.binding.BindingProcessorManagerImpl"
scope="singleton">
<constructor-arg ref="STALFactory"></constructor-arg>
|