community/device-mgt-core
1
0
Fork 0
mirror of https://repository.entgra.net/community/device-mgt-core.git synced 2025-10-06 02:01:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixed URL tampering issue

Browse Source
This commit is contained in:
mharindu 2016-06-28 17:23:39 +05:30
parent a278b788d6
commit 5de4993319
5 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml
View File

@ -121,7 +121,8 @@
org.wso2.carbon.registry.core.*, org.wso2.carbon.registry.core.*,
org.wso2.carbon.registry.common.*;version="${carbon.registry.imp.pkg.version.range}", org.wso2.carbon.registry.common.*;version="${carbon.registry.imp.pkg.version.range}",
org.wso2.carbon.registry.indexing.*; version="${carbon.registry.imp.pkg.version.range}", org.wso2.carbon.registry.indexing.*; version="${carbon.registry.imp.pkg.version.range}",
org.wso2.carbon.base org.wso2.carbon.base,
org.owasp.encoder
</Import-Package> </Import-Package>
</instructions> </instructions>
</configuration> </configuration>
@ -226,6 +227,10 @@
<groupId>org.wso2.carbon</groupId> <groupId>org.wso2.carbon</groupId>
<artifactId>org.wso2.carbon.registry.core</artifactId> <artifactId>org.wso2.carbon.registry.core</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.wso2.orbit.org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
</dependency>
</dependencies> </dependencies>
</project> </project>

3
components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java
View File

@ -21,6 +21,7 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response; import org.apache.catalina.connector.Response;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.owasp.encoder.Encode;
import org.w3c.dom.Document; import org.w3c.dom.Document;
import org.wso2.carbon.apimgt.api.APIManagementException; import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.core.authenticate.APITokenValidator; import org.wso2.carbon.apimgt.core.authenticate.APITokenValidator;
@ -42,7 +43,7 @@ public class AuthenticationFrameworkUtil {
public static void handleNoMatchAuthScheme(Request request, Response response, String httpVerb, String version, public static void handleNoMatchAuthScheme(Request request, Response response, String httpVerb, String version,
String context) { String context) {
String msg = "Resource is not matched for HTTP Verb: '" + httpVerb + "', API context: '" + context + String msg = "Resource is not matched for HTTP Verb: '" + httpVerb + "', API context: '" + context +
"', Version: '" + version + "' and RequestURI: '" + request.getRequestURI() + "'"; "', Version: '" + version + "' and RequestURI: '" + Encode.forHtml(request.getRequestURI()) + "'";
handleResponse(request, response, HttpServletResponse.SC_FORBIDDEN, msg); handleResponse(request, response, HttpServletResponse.SC_FORBIDDEN, msg);
} }

8
components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java
View File

@ -22,6 +22,7 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response; import org.apache.catalina.connector.Response;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.owasp.encoder.Encode;
import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve; import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve;
import org.wso2.carbon.tomcat.ext.valves.CompositeValve; import org.wso2.carbon.tomcat.ext.valves.CompositeValve;
@ -151,11 +152,10 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
response.setHeader("WWW-Authenticate", msg); response.setHeader("WWW-Authenticate", msg);
} }
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug(msg + " , API : " + request.getRequestURI()); log.debug(msg + " , API : " + Encode.forUriComponent(request.getRequestURI()));
} }
AuthenticationFrameworkUtil AuthenticationFrameworkUtil.
.handleResponse(request, response, HttpServletResponse.SC_UNAUTHORIZED, handleResponse(request, response, HttpServletResponse.SC_UNAUTHORIZED, msg);
msg);
break; break;
} }
} }

5
components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java
View File

@ -22,6 +22,7 @@ import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response; import org.apache.catalina.connector.Response;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.owasp.encoder.Encode;
import org.wso2.carbon.context.CarbonContext; import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.device.mgt.common.permission.mgt.Permission; import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException; import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
@ -57,13 +58,13 @@ public class PermissionAuthorizer {
requestPermission = registryBasedPermissionManager.getPermission(properties); requestPermission = registryBasedPermissionManager.getPermission(properties);
} catch (PermissionManagementException e) { } catch (PermissionManagementException e) {
log.error( log.error(
"Error occurred while fetching the permission for URI : " + requestUri + " ," + "Error occurred while fetching the permission for URI : " + Encode.forJava(requestUri) + " ," +
" METHOD : " + requestMethod + ", msg = " + e.getMessage()); " METHOD : " + requestMethod + ", msg = " + e.getMessage());
} }
if (requestPermission == null) { if (requestPermission == null) {
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("Permission to request '" + requestUri + "' is not defined in the configuration"); log.debug("Permission to request '" + Encode.forJava(requestUri) + "' is not defined in the configuration");
} }
return WebappAuthenticator.Status.FAILURE; return WebappAuthenticator.Status.FAILURE;
} }

6
pom.xml
View File

@ -1511,6 +1511,11 @@
<artifactId>jackson-annotations</artifactId> <artifactId>jackson-annotations</artifactId>
<version>${jackson-annotations.version}</version> <version>${jackson-annotations.version}</version>
</dependency> </dependency>
<dependency>
<groupId>org.wso2.orbit.org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>${owasp.encoder.version}</version>
</dependency>
</dependencies> </dependencies>
</dependencyManagement> </dependencyManagement>
@ -1880,6 +1885,7 @@
<!--JWT grant type extension feature--> <!--JWT grant type extension feature-->
<identity.jwt.extension.version>1.0.2</identity.jwt.extension.version> <identity.jwt.extension.version>1.0.2</identity.jwt.extension.version>
<jackson-annotations.version>2.7.4</jackson-annotations.version> <jackson-annotations.version>2.7.4</jackson-annotations.version>
<owasp.encoder.version>1.2.0.wso2v1</owasp.encoder.version>
</properties> </properties>
</project> </project>