aboutsummaryrefslogtreecommitdiffstats
path: root/archiva-modules
diff options
context:
space:
mode:
authorMartin Stockhammer <martin_s@apache.org>2019-03-10 11:36:06 +0100
committerMartin Stockhammer <martin_s@apache.org>2019-03-10 11:36:06 +0100
commit8e5fdd4536421a1a3f0cc5b70725148eeb27b652 (patch)
treeffb4205a39612fe62e970243cc7a4bb71cb8e493 /archiva-modules
parentd4be8968cfb9910f335009e1538292671aa67853 (diff)
downloadarchiva-8e5fdd4536421a1a3f0cc5b70725148eeb27b652.tar.gz
archiva-8e5fdd4536421a1a3f0cc5b70725148eeb27b652.zip
Fixing MRM-1972: Adding additional encoding for name value
Diffstat (limited to 'archiva-modules')
-rw-r--r--archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java7
-rw-r--r--archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java17
2 files changed, 24 insertions, 0 deletions
diff --git a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
index 8f065c128..1ba104863 100644
--- a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
+++ b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
@@ -31,6 +31,8 @@ import org.apache.archiva.configuration.Configuration;
import org.apache.archiva.configuration.UserInterfaceOptions;
import org.apache.archiva.configuration.WebappConfiguration;
import org.apache.archiva.metadata.model.facets.AuditEvent;
+import org.apache.commons.codec.net.URLCodec;
+import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.http.impl.conn.PoolingClientConnectionManager;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
@@ -337,6 +339,10 @@ public class DefaultArchivaAdministration
}
+ private String convertName(String name) {
+ return StringEscapeUtils.escapeHtml( StringUtils.trimToEmpty( name ) );
+ }
+
@Override
public void setOrganisationInformation( OrganisationInformation organisationInformation )
throws RepositoryAdminException
@@ -346,6 +352,7 @@ public class DefaultArchivaAdministration
Configuration configuration = getArchivaConfiguration( ).getConfiguration( );
if ( organisationInformation != null )
{
+ organisationInformation.setName( convertName( organisationInformation.getName() ));
org.apache.archiva.configuration.OrganisationInformation organisationInformationModel =
getModelMapper( ).map( organisationInformation,
org.apache.archiva.configuration.OrganisationInformation.class );
diff --git a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
index 6e3fbd671..9bb9ed443 100644
--- a/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
+++ b/archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
@@ -254,6 +254,23 @@ public class ArchivaAdministrationTest
}
@Test
+ public void badOrganisationName( )
+ {
+ try
+ {
+ OrganisationInformation newOrganisationInformation = new OrganisationInformation( );
+ newOrganisationInformation.setName( "/><svg/onload=alert(/url_xss/)>Test Org\"" );
+ archivaAdministration.setOrganisationInformation( newOrganisationInformation );
+ assertEquals("/&gt;&lt;svg/onload=alert(/url_xss/)&gt;Test Org&quot;", archivaAdministration.getOrganisationInformation().getName());
+ }
+ catch ( RepositoryAdminException e )
+ {
+ // OK
+ }
+
+ }
+
+ @Test
public void uiConfiguration()
throws Exception
{