summaryrefslogtreecommitdiff
path: root/BKUOnline/src
diff options
context:
space:
mode:
authormcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2010-01-19 07:37:59 +0000
committermcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2010-01-19 07:37:59 +0000
commita5743a4e7157cb115cb1564d9327a426afac5ee0 (patch)
tree75c71ec5fa5cbd61d58a660c324be1fb0466df83 /BKUOnline/src
parent678f2d84046c8e3ab7abe459d984868d4c9d2a3c (diff)
downloadmocca-a5743a4e7157cb115cb1564d9327a426afac5ee0.tar.gz
mocca-a5743a4e7157cb115cb1564d9327a426afac5ee0.tar.bz2
mocca-a5743a4e7157cb115cb1564d9327a426afac5ee0.zip
Fixes XSS vulnerability.
git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@577 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
Diffstat (limited to 'BKUOnline/src')
-rw-r--r--BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java176
-rw-r--r--BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml83
2 files changed, 183 insertions, 76 deletions
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java
index f6d7a50c..7dfec211 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/webapp/BKURequestHandler.java
@@ -19,10 +19,17 @@ package at.gv.egiz.bku.online.webapp;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.net.URLEncoder;
+import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
+import java.util.regex.Pattern;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
@@ -46,10 +53,35 @@ import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage;
*/
public class BKURequestHandler extends SpringBKUServlet {
+ private static final long serialVersionUID = 1L;
+
public static final String APPLET_PAGE_P = "appletPage";
public static final String APPLET_PAGE_DEFAULT = "BKUApplet";
-
- private static final long serialVersionUID = 1L;
+
+ public static final String PARAM_APPLET_WIDTH = "appletWidth";
+ public static final String ATTR_APPLET_WIDTH = "appletWidth";
+
+ public static final String PARAM_APPLET_HEIGHT = "appletHeight";
+ public static final String ATTR_APPLET_HEIGHT = "appletHeight";
+
+ public static final String PARAM_APPLET_BACKGROUND = "appletBackground";
+ public static final String ATTR_APPLET_BACKGROUND = "appletBackground";
+
+ public static final String PARAM_APPLET_BACKGROUND_COLOR = "appletBackgroundColor";
+ public static final String ATTR_APPLET_BACKGROUND_COLOR = "appletBackgroundColor";
+ public static final Pattern PATTERM_APPLET_BACKGROUND_COLOR = Pattern.compile("\\#[0-9a-fA-F]{6}");
+
+ public static final String PARAM_APPLET_GUI_STYLE = "appletGuiStyle";
+ public static final String ATTR_APPLET_GUI_STYLE = "appletGuiStyle";
+ public static final String[] VALUES_APPLET_GUI_STYLE = new String[] {"tiny", "simple", "advanced"};
+
+ public static final String PARAM_APPLET_EXTENSION = "appletExtension";
+ public static final String ATTR_APPLET_EXTENSION = "appletExtension";
+ public static final String[] VALUES_APPLET_EXTENSION = new String[] {"pin", "activation"};
+
+ public static final String PARAM_LOCALE = "locale";
+ public static final String ATTR_LOCALE = "locale";
+ public static final Pattern PATTERN_LOCALE = Pattern.compile("[a-zA-Z][a-zA-Z](_[a-zA-Z][a-zA-Z]){0,2}");
public final static String REDIRECT_URL_SESSION_ATTRIBUTE = "redirectUrl";
@@ -124,69 +156,127 @@ public class BKURequestHandler extends SpringBKUServlet {
log.trace("Trying to find applet parameters in request");
+ // appletWidth
String width = getStringFromStream(bindingProcessor
- .getFormData("appletWidth"), charset);
- String height = getStringFromStream(bindingProcessor
- .getFormData("appletHeight"), charset);
- String background = getStringFromStream(bindingProcessor
- .getFormData("appletBackground"), charset);
- String backgroundColor = getStringFromStream(bindingProcessor
- .getFormData("appletBackgroundColor"), charset);
- String guiStyle = getStringFromStream(bindingProcessor
- .getFormData("appletGuiStyle"), charset);
- String hashDataDisplay = getStringFromStream(bindingProcessor
- .getFormData("appletHashDataDisplay"), charset);
- String localeFormParam = getStringFromStream(bindingProcessor
- .getFormData("locale"), charset);
- String extension = getStringFromStream(bindingProcessor
- .getFormData("appletExtension"), charset);
-
+ .getFormData(PARAM_APPLET_WIDTH), charset);
if (width != null) {
try {
- log.trace("Found applet width parameter: " + width);
- int wI = Integer.parseInt(width);
- session.setAttribute("appletWidth", wI);
+ // must be a valid integer
+ session.setAttribute(ATTR_APPLET_WIDTH, Integer.parseInt(width));
+ log.trace("Found parameter " + PARAM_APPLET_WIDTH + "='" + width +"'.");
} catch (NumberFormatException nfe) {
- log.warn(nfe);
+ log.warn("Applet parameter " + PARAM_APPLET_WIDTH +
+ " does not contain a valid value.", nfe);
}
}
+
+ // appletHeight
+ String height = getStringFromStream(bindingProcessor
+ .getFormData(PARAM_APPLET_HEIGHT), charset);
if (height != null) {
try {
- log.trace("Found applet height parameter: " + height);
- int hI = Integer.parseInt(height);
- session.setAttribute("appletHeight", hI);
+ // must be a valid integer
+ session.setAttribute(ATTR_APPLET_HEIGHT, Integer.parseInt(height));
+ log.trace("Found parameter " + PARAM_APPLET_HEIGHT + "='" + height + "'.");
} catch (NumberFormatException nfe) {
- log.warn(nfe);
+ log.warn("Applet parameter " + PARAM_APPLET_HEIGHT +
+ " does not contain a valid value.", nfe);
}
}
+
+ // appletBackground
+ String background = getStringFromStream(bindingProcessor
+ .getFormData(PARAM_APPLET_BACKGROUND), charset);
if (background != null) {
- log.trace("Found applet background parameter: " + background);
- session.setAttribute("appletBackground", background);
+ session.setAttribute(ATTR_APPLET_BACKGROUND, background);
+ try {
+ // must be a valid http or https URL
+ URI backgroundURL = new URI(background);
+ if ("http".equals(backgroundURL.getScheme())
+ || "https".equals(backgroundURL.getScheme())) {
+ session.setAttribute(ATTR_APPLET_BACKGROUND, backgroundURL.toASCIIString());
+ log.trace("Found parameter " + PARAM_APPLET_BACKGROUND + "='"
+ + backgroundURL.toASCIIString() + "'.");
+ } else {
+ log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND + "='"
+ + background + "' is not a valid http/https URL.");
+ }
+ } catch (URISyntaxException e) {
+ log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND + "='"
+ + background + "' is not a valid http/https URL.", e);
+ }
}
+
+ // appletBackgroundColor
+ String backgroundColor = getStringFromStream(bindingProcessor
+ .getFormData(PARAM_APPLET_BACKGROUND_COLOR), charset);
if (backgroundColor != null) {
- log.trace("Faund applet background color parameter: " + backgroundColor);
- session.setAttribute("appletBackgroundColor", backgroundColor);
+ // must be a valid color definition
+ if (PATTERM_APPLET_BACKGROUND_COLOR.matcher(backgroundColor).matches()) {
+ session.setAttribute(ATTR_APPLET_BACKGROUND_COLOR, backgroundColor);
+ log.trace("Faund parameter " + PARAM_APPLET_BACKGROUND_COLOR + "='"
+ + backgroundColor + "'.");
+ } else {
+ log.warn("Applet parameter " + PARAM_APPLET_BACKGROUND_COLOR + "='"
+ + backgroundColor + "' is not a valid color definition (must be of form '#hhhhhh').");
+ }
}
+
+ // appletGuiStyle
+ String guiStyle = getStringFromStream(bindingProcessor
+ .getFormData(PARAM_APPLET_GUI_STYLE), charset);
if (guiStyle != null) {
- log.trace("Found applet GUI style parameter: " + guiStyle);
- session.setAttribute("appletGuiStyle", guiStyle);
- }
- if (hashDataDisplay != null) {
- log.trace("Found applet hash data display parameter: " + hashDataDisplay);
- session.setAttribute("appletHashDataDisplay", hashDataDisplay);
+ // must be one of VALUES_APPLET_GUI_STYLE
+ String style = guiStyle.toLowerCase();
+ if (Arrays.asList(VALUES_APPLET_GUI_STYLE).contains(style)) {
+ session.setAttribute(ATTR_APPLET_GUI_STYLE, style);
+ log.trace("Found parameter " + PARAM_APPLET_GUI_STYLE + "='"
+ + style + "'.");
+ } else {
+ StringBuilder sb = new StringBuilder();
+ sb.append("Applet parameter ").append(PARAM_APPLET_GUI_STYLE).append(
+ "='").append(guiStyle).append("' is not valid (must be one of ")
+ .append(Arrays.toString(VALUES_APPLET_GUI_STYLE)).append(").");
+ log.warn(sb);
+ }
}
- if (extension != null && !"".equals(extension)) {
- log.trace("Found applet extension parameter: " + extension);
- session.setAttribute("extension", extension);
+
+ // appletExtension
+ String extension = getStringFromStream(bindingProcessor
+ .getFormData(PARAM_APPLET_EXTENSION), charset);
+ if (extension != null) {
+ // must be one of VALUES_APPLET_EXTENSION
+ String ext = extension.toLowerCase();
+ if (Arrays.asList(VALUES_APPLET_EXTENSION).contains(ext)) {
+ session.setAttribute(ATTR_APPLET_EXTENSION, ext);
+ log.trace("Found parameter " + PARAM_APPLET_EXTENSION + "='"
+ + ext + "'.");
+ } else {
+ StringBuilder sb = new StringBuilder();
+ sb.append("Applet parameter ").append(PARAM_APPLET_EXTENSION).append(
+ "='").append(extension).append("' is not valid (must be one of ")
+ .append(Arrays.toString(VALUES_APPLET_EXTENSION)).append(").");
+ log.warn(sb);
+ }
}
+
+ // locale
+ String localeFormParam = getStringFromStream(bindingProcessor
+ .getFormData(PARAM_LOCALE), charset);
if (localeFormParam != null) {
- log.debug("overrule accept-language locale " + locale
- + " with form param " + localeFormParam);
- locale = new Locale(localeFormParam);
+ // must be a valid locale
+ if (PATTERN_LOCALE.matcher(localeFormParam).matches()) {
+ locale = new Locale(localeFormParam);
+ log.debug("Overrule accept-language header locale " + locale
+ + " with form param " + localeFormParam + ".");
+ } else {
+ log.warn("Parameter " + PARAM_LOCALE + "='" + localeFormParam
+ + "' is not a valid locale definition.");
+ }
}
if (locale != null) {
log.debug("Using locale " + locale);
- session.setAttribute("locale", locale.toString());
+ session.setAttribute(ATTR_LOCALE, locale.toString());
}
// handle server side redirect url after processing
diff --git a/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml b/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml
index 0324030e..fb3cae63 100644
--- a/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/BKUOnline/src/main/webapp/WEB-INF/applicationContext.xml
@@ -30,47 +30,64 @@
<bean id="slCommandFactory" class="at.gv.egiz.bku.slcommands.SLCommandFactory"
factory-method="getInstance">
- <property name="commandImpl">
- <map>
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:NullOperationRequest"
- value="at.gv.egiz.bku.slcommands.impl.NullOperationCommandImpl" />
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:InfoboxReadRequest"
- value="at.gv.egiz.bku.slcommands.impl.InfoboxReadCommandImpl" />
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:InfoboxUpdateRequest"
- value="at.gv.egiz.bku.slcommands.impl.InfoboxUpdateCommandImpl" />
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:CreateXMLSignatureRequest"
- value="at.gv.egiz.bku.slcommands.impl.CreateXMLSignatureCommandImpl" />
- <entry
- key="http://www.buergerkarte.at/namespaces/securitylayer/1.2#:GetStatusRequest"
- value="at.gv.egiz.bku.slcommands.impl.GetStatusCommandImpl" />
- </map>
+ <property name="concreteFactories">
+ <map>
+ <entry key-ref="nullOperationRequest" value-ref="nullOperationCommandFactory"/>
+ <entry key-ref="infoboxReadRequest" value-ref="infoboxReadCommandFactory"/>
+ <entry key-ref="infoboxUpdateRequest" value-ref="infoboxUpdateCommandFactory"/>
+ <entry key-ref="createXMLSignatureRequest" value-ref="createXMLSignatureCommandFactory"/>
+ <entry key-ref="getStatusRequest" value-ref="getStatusCommandFactory"/>
+ </map>
</property>
</bean>
- <bean id="infoboxFactory" class="at.gv.egiz.bku.slcommands.impl.InfoboxFactory"
- factory-method="getInstance">
- <property name="infoboxImpl">
+ <bean id="nullOperationCommandFactory" class="at.gv.egiz.bku.slcommands.impl.NullOperationCommandFactory"/>
+ <bean id="nullOperationRequest" class="javax.xml.namespace.QName">
+ <constructor-arg value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#"/>
+ <constructor-arg value="NullOperationRequest"/>
+ </bean>
+ <bean id="infoboxReadCommandFactory" class="at.gv.egiz.bku.slcommands.impl.InfoboxReadCommandFactory">
+ <property name="infoboxFactory" ref="infoboxFactory"/>
+ </bean>
+ <bean id="infoboxReadRequest" class="javax.xml.namespace.QName">
+ <constructor-arg value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#"/>
+ <constructor-arg value="InfoboxReadRequest"/>
+ </bean>
+ <bean id="infoboxUpdateCommandFactory" class="at.gv.egiz.bku.slcommands.impl.InfoboxUpdateCommandFactory">
+ <property name="infoboxFactory" ref="infoboxFactory"/>
+ </bean>
+ <bean id="infoboxUpdateRequest" class="javax.xml.namespace.QName">
+ <constructor-arg value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#"/>
+ <constructor-arg value="InfoboxUpdateRequest"/>
+ </bean>
+ <bean id="createXMLSignatureCommandFactory" class="at.gv.egiz.bku.slcommands.impl.CreateXMLSignatureCommandFactory"/>
+ <bean id="createXMLSignatureRequest" class="javax.xml.namespace.QName">
+ <constructor-arg value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#"/>
+ <constructor-arg value="CreateXMLSignatureRequest"/>
+ </bean>
+ <bean id="getStatusCommandFactory" class="at.gv.egiz.bku.slcommands.impl.GetStatusCommandFactory"/>
+ <bean id="getStatusRequest" class="javax.xml.namespace.QName">
+ <constructor-arg value="http://www.buergerkarte.at/namespaces/securitylayer/1.2#"/>
+ <constructor-arg value="GetStatusRequest"/>
+ </bean>
+
+ <bean id="infoboxFactory" class="at.gv.egiz.bku.slcommands.impl.InfoboxFactory">
+ <property name="infoboxFactories">
<map>
- <entry
- key="Certificates"
- value="at.gv.egiz.bku.slcommands.impl.CertificatesInfoboxImpl" />
- <entry
- key="IdentityLink"
- value="at.gv.egiz.bku.slcommands.impl.IdentityLinkInfoboxImpl" />
- <entry
- key="CardChannel"
- value="at.gv.egiz.bku.slcommands.impl.CardChannelInfoboxImpl" />
- <entry
- key="SV-Personendaten"
- value="at.gv.egiz.bku.slcommands.impl.SVPersonendatenInfoboxImpl" />
+ <entry key="Certificates" value-ref="certificatesInfoboxFactory"/>
+ <entry key="IdentityLink" value-ref="identityLinkInfoboxFactory"/>
+ <entry key="CardChannel" value-ref="cardChannelInfoboxFactory"/>
+ <entry key="SV-Personendaten" value-ref="svPersonendatenInfoboxFactory"/>
</map>
</property>
</bean>
+ <bean id="certificatesInfoboxFactory" class="at.gv.egiz.bku.slcommands.impl.CertificatesInfoboxFactory"/>
+ <bean id="identityLinkInfoboxFactory" class="at.gv.egiz.bku.slcommands.impl.IdentityLinkInfoboxFactory"/>
+ <bean id="cardChannelInfoboxFactory" class="at.gv.egiz.bku.slcommands.impl.CardChannelInfoboxFactory"/>
+ <bean id="svPersonendatenInfoboxFactory" class="at.gv.egiz.bku.slcommands.impl.SVPersonendatenInfoboxFactory"/>
+
+
<bean id="bindingProcessorManager" class="at.gv.egiz.bku.binding.BindingProcessorManagerImpl"
scope="singleton">
<constructor-arg ref="STALFactory"></constructor-arg>