]> source.dussan.org Git - archiva.git/commitdiff
[MRM-1972] Adding additional encoding for name value
authorMartin Stockhammer <martin_s@apache.org>
Sun, 10 Mar 2019 10:36:06 +0000 (11:36 +0100)
committerMartin Stockhammer <martin_s@apache.org>
Fri, 3 May 2019 18:48:31 +0000 (20:48 +0200)
(cherry picked from commit 8e5fdd4536421a1a3f0cc5b70725148eeb27b652)

archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java

index e04180c53fdef7cd9fdc1f342547fb2ac855920c..0c8a682a6c841da4e173902a9c623fa7be4e54e9 100644 (file)
@@ -31,6 +31,8 @@ import org.apache.archiva.configuration.Configuration;
 import org.apache.archiva.configuration.UserInterfaceOptions;
 import org.apache.archiva.configuration.WebappConfiguration;
 import org.apache.archiva.metadata.model.facets.AuditEvent;
+import org.apache.commons.codec.net.URLCodec;
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
 import org.apache.maven.wagon.providers.http.HttpWagon;
@@ -336,6 +338,10 @@ public class DefaultArchivaAdministration
 
     }
 
+    private String convertName(String name) {
+        return StringEscapeUtils.escapeHtml( StringUtils.trimToEmpty( name ) );
+    }
+
     @Override
     public void setOrganisationInformation( OrganisationInformation organisationInformation )
         throws RepositoryAdminException
@@ -345,6 +351,7 @@ public class DefaultArchivaAdministration
         Configuration configuration = getArchivaConfiguration( ).getConfiguration( );
         if ( organisationInformation != null )
         {
+            organisationInformation.setName( convertName( organisationInformation.getName() ));
             org.apache.archiva.configuration.OrganisationInformation organisationInformationModel =
                 getModelMapper( ).map( organisationInformation,
                     org.apache.archiva.configuration.OrganisationInformation.class );
index 6e3fbd6717902f636ce3112f1824236837236802..9bb9ed443897e2f6a8bab1a2777530ed0e5444f4 100644 (file)
@@ -253,6 +253,23 @@ public class ArchivaAdministrationTest
 
     }
 
+    @Test
+    public void badOrganisationName( )
+    {
+        try
+        {
+            OrganisationInformation newOrganisationInformation = new OrganisationInformation( );
+            newOrganisationInformation.setName( "/><svg/onload=alert(/url_xss/)>Test Org\"" );
+            archivaAdministration.setOrganisationInformation( newOrganisationInformation );
+            assertEquals("/&gt;&lt;svg/onload=alert(/url_xss/)&gt;Test Org&quot;", archivaAdministration.getOrganisationInformation().getName());
+        }
+        catch ( RepositoryAdminException e )
+        {
+            // OK
+        }
+
+    }
+
     @Test
     public void uiConfiguration()
         throws Exception