Fixing MRM-1972: Adding additional encoding for name value

diff --git a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
index 8f065c1288a6c793c1d184d593a450d01b61154b..1ba104863de720bc5dcdc2405378df9dced4a49b 100644 (file)
--- a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
+++ b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
@@ -31,6 +31,8 @@ import org.apache.archiva.configuration.Configuration;
 import org.apache.archiva.configuration.UserInterfaceOptions;
 import org.apache.archiva.configuration.WebappConfiguration;
 import org.apache.archiva.metadata.model.facets.AuditEvent;
+import org.apache.commons.codec.net.URLCodec;
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.http.impl.conn.PoolingClientConnectionManager;
 import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
@@ -337,6 +339,10 @@ public class DefaultArchivaAdministration
 
     }
 
+    private String convertName(String name) {
+        return StringEscapeUtils.escapeHtml( StringUtils.trimToEmpty( name ) );
+    }
+
     @Override
     public void setOrganisationInformation( OrganisationInformation organisationInformation )
         throws RepositoryAdminException
@@ -346,6 +352,7 @@ public class DefaultArchivaAdministration
         Configuration configuration = getArchivaConfiguration( ).getConfiguration( );
         if ( organisationInformation != null )
         {
+            organisationInformation.setName( convertName( organisationInformation.getName() ));
             org.apache.archiva.configuration.OrganisationInformation organisationInformationModel =
                 getModelMapper( ).map( organisationInformation,
                     org.apache.archiva.configuration.OrganisationInformation.class );

diff --git a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
index 6e3fbd6717902f636ce3112f1824236837236802..9bb9ed443897e2f6a8bab1a2777530ed0e5444f4 100644 (file)
--- a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
+++ b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
@@ -253,6 +253,23 @@ public class ArchivaAdministrationTest
 
     }
 
+    @Test
+    public void badOrganisationName( )
+    {
+        try
+        {
+            OrganisationInformation newOrganisationInformation = new OrganisationInformation( );
+            newOrganisationInformation.setName( "/><svg/onload=alert(/url_xss/)>Test Org\"" );
+            archivaAdministration.setOrganisationInformation( newOrganisationInformation );
+            assertEquals("/&gt;&lt;svg/onload=alert(/url_xss/)&gt;Test Org&quot;", archivaAdministration.getOrganisationInformation().getName());
+        }
+        catch ( RepositoryAdminException e )
+        {
+            // OK
+        }
+
+    }
+
     @Test
     public void uiConfiguration()
         throws Exception