diff options
| author | Olivier Lamy <olamy@apache.org> | 2023-03-14 16:51:46 +1000 |
|---|---|---|
| committer | Olivier Lamy <olamy@apache.org> | 2023-03-14 16:51:46 +1000 |
| commit | d62e81c7e75f617cf01d2a75952a2c857758f8c4 (patch) | |
| tree | 2f26c202d19fe31f61a6709f5185e335a0616669 | |
| parent | 4d93c1f457e3a285e84a46f25fceee1c0d2bd615 (diff) | |
| download | archiva-d62e81c7e75f617cf01d2a75952a2c857758f8c4.tar.gz archiva-d62e81c7e75f617cf01d2a75952a2c857758f8c4.zip | |
better testing of characters
Signed-off-by: Olivier Lamy <olamy@apache.org>
| -rw-r--r-- | archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java | 29 |
1 files changed, 19 insertions, 10 deletions
diff --git a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java index 83b3a3e6f..7bdf53ab3 100644 --- a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java +++ b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java @@ -262,6 +262,15 @@ public class DefaultFileUploadService if (checkString.contains("/..")) { return false; } + if (checkString.contains("<")) { + return false; + } + if (checkString.contains(">")) { + return false; + } + if (checkString.contains("&")) { + return false; + } return true; } @@ -280,11 +289,11 @@ public class DefaultFileUploadService boolean generatePom ) throws ArchivaRestServiceException { - repositoryId = StringEscapeUtils.escapeJavaScript( StringUtils.trim( repositoryId ) ); - groupId = StringEscapeUtils.escapeJavaScript( StringUtils.trim( groupId ) ); - artifactId = StringEscapeUtils.escapeJavaScript( StringUtils.trim( artifactId ) ); - version = StringEscapeUtils.escapeJavaScript( StringUtils.trim( version ) ); - packaging = StringEscapeUtils.escapeJavaScript( StringUtils.trim( packaging ) ); + repositoryId = StringEscapeUtils.escapeHtml( StringUtils.trim( repositoryId ) ); + groupId = StringEscapeUtils.escapeHtml( StringUtils.trim( groupId ) ); + artifactId = StringEscapeUtils.escapeHtml( StringUtils.trim( artifactId ) ); + version = StringEscapeUtils.escapeHtml( StringUtils.trim( version ) ); + packaging = StringEscapeUtils.escapeHtml( StringUtils.trim( packaging ) ); checkParamChars("repositoryId", repositoryId); checkParamChars("groupId", groupId); @@ -378,11 +387,11 @@ public class DefaultFileUploadService ManagedRepository repoConfig = managedRepositoryAdmin.getManagedRepository( repositoryId ); - repositoryId = StringEscapeUtils.escapeJavaScript( StringUtils.trim( repositoryId ) ); - groupId = StringEscapeUtils.escapeJavaScript( StringUtils.trim( groupId ) ); - artifactId = StringEscapeUtils.escapeJavaScript( StringUtils.trim( artifactId ) ); - version = StringEscapeUtils.escapeJavaScript( StringUtils.trim( version ) ); - packaging = StringEscapeUtils.escapeJavaScript( StringUtils.trim( packaging ) ); + repositoryId = StringEscapeUtils.escapeHtml( StringUtils.trim( repositoryId ) ); + groupId = StringEscapeUtils.escapeHtml( StringUtils.trim( groupId ) ); + artifactId = StringEscapeUtils.escapeHtml( StringUtils.trim( artifactId ) ); + version = StringEscapeUtils.escapeHtml( StringUtils.trim( version ) ); + packaging = StringEscapeUtils.escapeHtml( StringUtils.trim( packaging ) ); ArtifactReference artifactReference = new ArtifactReference(); artifactReference.setArtifactId( artifactId ); |