diff options
| author | Build Agent <build@vaadin.com> | 2014-02-13 13:17:58 +0200 |
|---|---|---|
| committer | Build Agent <build@vaadin.com> | 2014-02-13 13:17:58 +0200 |
| commit | 3f07fb247e87deb19bef0f07004161c60443c829 (patch) | |
| tree | cb1c82b171514a75d637e9a1190a20a4b945f6e7 | |
| parent | 6f5b334247e024143b82c1c9e0c84b41d9bd2abb (diff) | |
| parent | ef208a686c9b32a66d317ceaf571a1b0387625bb (diff) | |
| download | vaadin-framework-3f07fb247e87deb19bef0f07004161c60443c829.tar.gz vaadin-framework-3f07fb247e87deb19bef0f07004161c60443c829.zip | |
Merge changes from origin/7.1
98aff2b Fix caption lost issue related to focus changing (#12967)
af96612 Test using Tomcat 7 behind Apache proxy (#13302)
ad49fe3 Test using Wildfly 8 (currently CR1) (#13167)
6d8b9e5 Servlet test for push with default parameters (#13299)
d88e409 Added proper escaping to OptionGroup item icon URLs (#13310)
e680b8f Changed getAbsoluteUrl to use the correct escaping method (#13311)
fe6ea57 Release notes updated to describe #13310 #13311
ef208a6 Javadoc formatting fixup
Change-Id: I9cedc16c69b25cc89dd4e4a6812d29019e6e0e0a
| -rw-r--r-- | WebContent/release-notes.html | 40 | ||||
| -rw-r--r-- | client/src/com/vaadin/client/Util.java | 3 | ||||
| -rw-r--r-- | client/src/com/vaadin/client/ui/VOptionGroup.java | 5 | ||||
| -rw-r--r-- | client/src/com/vaadin/client/ui/orderedlayout/Slot.java | 6 | ||||
| -rw-r--r-- | server/src/com/vaadin/data/Container.java | 85 | ||||
| -rw-r--r-- | uitest/integration_tests.xml | 14 | ||||
| -rw-r--r-- | uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUI.java | 29 | ||||
| -rw-r--r-- | uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUITest.java | 21 |
8 files changed, 154 insertions, 49 deletions
diff --git a/WebContent/release-notes.html b/WebContent/release-notes.html index a11e526c3f..c7e7558e6a 100644 --- a/WebContent/release-notes.html +++ b/WebContent/release-notes.html @@ -41,6 +41,7 @@ <ul> <li><a href="#overview">Overview of Vaadin @version@ Release</a></li> + <li><a href="#security-fixes">Security fixes</a></li> <li><a href="#changelog">Change log for Vaadin @version@</a></li> <li><a href="#enhancements">Enhancements in Vaadin @@ -75,7 +76,44 @@ href="http://vaadin.com/download/release/@version-minor@/@version-minor@.0/release-notes.html">Release Notes for Vaadin @version-minor@.0</a>. </p> - + + <!-- ================================================================ --> + <h3 id="security-fixes">Security fixes in Vaadin Framework 7.1.11</h3> + + <p> + Vaadin 7.1.11 fixes two security issues discovered during internal review. + </p> + <p><b>Escaping of OptionGroup item icon URLs</b></p> + <p> + The issue affects OptionGroup with item icons. Proper escaping of the + src-attribute on the client side was not ensured when using icons for + OptionGroup items. This could potentially, in certain situations, allow + a malicious user to inject content, such as javascript, in order to + perform a cross-site scripting (XSS) attack. + </p> + <p> + In order for an application to be vulnerable, user provided input must + be used to form a URL used to display an icon for an OptionGroup item, + when showing that Option Group to other users.<br/> + The vulnerability has been classified as moderate, due to it's limited + application. + </p> + <p><b>Escaping of URLs in Util.getAbsoluteUrl()</b></p> + <p> + The client side Util.getAbsoluteUrl() did not ensure proper escaping + of the given URL. This could potentially, in certain situations, allow + a malicious user to inject content, such as javascript, in order to + perform a cross-site scripting (XSS) attack. + </p> + <p> + The method is used internally by the framework in such a manner that it + is unlikely this attack vector can be utilized in practice. However, + third party components, or future use of the method, could make an + attack viable.<br/> + The vulnerability has been classified as moderate, due to it's limited + application. + </p> + <h3 id="changelog">Change log for Vaadin @version@</h3> <p>This release includes the following closed issues:</p> diff --git a/client/src/com/vaadin/client/Util.java b/client/src/com/vaadin/client/Util.java index edbb40e86c..7cf8338171 100644 --- a/client/src/com/vaadin/client/Util.java +++ b/client/src/com/vaadin/client/Util.java @@ -1344,7 +1344,8 @@ public class Util { divElement.getStyle().setDisplay(Display.NONE); RootPanel.getBodyElement().appendChild(divElement); - divElement.setInnerHTML("<a href='" + escapeHTML(url) + "' ></a>"); + divElement.setInnerHTML("<a href='" + escapeAttribute(url) + + "' ></a>"); AnchorElement a = divElement.getChild(0).cast(); String href = a.getHref(); diff --git a/client/src/com/vaadin/client/ui/VOptionGroup.java b/client/src/com/vaadin/client/ui/VOptionGroup.java index fee1c313f5..fe4ef214cb 100644 --- a/client/src/com/vaadin/client/ui/VOptionGroup.java +++ b/client/src/com/vaadin/client/ui/VOptionGroup.java @@ -142,8 +142,9 @@ public class VOptionGroup extends VOptionGroupBase implements FocusHandler, String icon = opUidl.getStringAttribute("icon"); if (icon != null && icon.length() != 0) { String iconUrl = client.translateVaadinUri(icon); - itemHtml = "<img src=\"" + iconUrl + "\" class=\"" - + Icon.CLASSNAME + "\" alt=\"\" />" + itemHtml; + itemHtml = "<img src=\"" + Util.escapeAttribute(iconUrl) + + "\" class=\"" + Icon.CLASSNAME + "\" alt=\"\" />" + + itemHtml; } String key = opUidl.getStringAttribute("key"); diff --git a/client/src/com/vaadin/client/ui/orderedlayout/Slot.java b/client/src/com/vaadin/client/ui/orderedlayout/Slot.java index 37a97f3399..efa19895a8 100644 --- a/client/src/com/vaadin/client/ui/orderedlayout/Slot.java +++ b/client/src/com/vaadin/client/ui/orderedlayout/Slot.java @@ -474,7 +474,8 @@ public final class Slot extends SimplePanel { // Made changes to DOM. Focus can be lost if it was in the // widget. - focusLost = widget.getElement().isOrHasChild(focusedElement); + focusLost = (focusedElement == null ? false : widget + .getElement().isOrHasChild(focusedElement)); } } else if (caption != null) { orphan(widget); @@ -485,7 +486,8 @@ public final class Slot extends SimplePanel { captionWrap = null; // Made changes to DOM. Focus can be lost if it was in the widget. - focusLost = widget.getElement().isOrHasChild(focusedElement); + focusLost = (focusedElement == null ? false : widget.getElement() + .isOrHasChild(focusedElement)); } // Caption text diff --git a/server/src/com/vaadin/data/Container.java b/server/src/com/vaadin/data/Container.java index bf553f31d2..1e053d1091 100644 --- a/server/src/com/vaadin/data/Container.java +++ b/server/src/com/vaadin/data/Container.java @@ -86,7 +86,7 @@ public interface Container extends Serializable { * Gets the {@link Item} with the given Item ID from the Container. If the * Container does not contain the requested Item, <code>null</code> is * returned. - * + * <p> * Containers should not return Items that are filtered out. * * @param itemId @@ -108,11 +108,11 @@ public interface Container extends Serializable { * Gets the ID's of all visible (after filtering and sorting) Items stored * in the Container. The ID's cannot be modified through the returned * collection. - * + * <p> * If the container is {@link Ordered}, the collection returned by this * method should follow that order. If the container is {@link Sortable}, * the items should be in the sorted order. - * + * <p> * Calling this method for large lazy containers can be an expensive * operation and should be avoided when practical. * @@ -145,7 +145,7 @@ public interface Container extends Serializable { /** * Gets the number of visible Items in the Container. - * + * <p> * Filtering can hide items so that they will not be visible through the * container API. * @@ -155,7 +155,7 @@ public interface Container extends Serializable { /** * Tests if the Container contains the specified Item. - * + * <p> * Filtering can hide items so that they will not be visible through the * container API, and this method should respect visibility of items (i.e. * only indicate visible items as being in the container) if feasible for @@ -235,7 +235,7 @@ public interface Container extends Serializable { /** * Adds a new Property to all Items in the Container. The Property ID, data * type and default value of the new Property are given as parameters. - * + * <p> * This functionality is optional. * * @param propertyId @@ -256,7 +256,7 @@ public interface Container extends Serializable { /** * Removes a Property specified by the given Property ID from the Container. * Note that the Property will be removed from all Items in the Container. - * + * <p> * This functionality is optional. * * @param propertyId @@ -427,10 +427,8 @@ public interface Container extends Serializable { public interface Sortable extends Ordered { /** - * Sort method. - * * Sorts the container items. - * + * <p> * Sorting a container can irreversibly change the order of its items or * only change the order temporarily, depending on the container. * @@ -486,40 +484,34 @@ public interface Container extends Serializable { /** * Get the item id for the item at the position given by - * <code>index</code>. <br> - * <br> - * <b>Throws:</b> {@link IndexOutOfBoundsException} if - * <code>index</code> is outside the range of the container. (i.e. - * <code>index < 0 || container.size()-1 < index</code>) + * <code>index</code>. + * <p> * * @param index * the index of the requested item id * @return the item id of the item at the given index + * @throws IndexOutOfBoundsException + * if <code>index</code> is outside the range of the + * container. (i.e. + * <code>index < 0 || container.size()-1 < index</code> + * ) */ public Object getIdByIndex(int index); /** * Get <code>numberOfItems</code> consecutive item ids from the - * container, starting with the item id at <code>startIndex</code>. <br> - * <br> - * + * container, starting with the item id at <code>startIndex</code>. + * <p> * Implementations should return at most <code>numberOfItems</code> item * ids, but can contain less if the container has less items than * required to fulfill the request. The returned list must hence contain - * all of the item ids from the range: <br> - * <br> + * all of the item ids from the range: + * <p> * <code>startIndex</code> to - * <code>max(startIndex + (numberOfItems-1), container.size()-1)</code>. <br> - * <br> + * <code>max(startIndex + (numberOfItems-1), container.size()-1)</code>. + * <p> * For quick migration to new API see: * {@link ContainerHelpers#getItemIdsUsingGetIdByIndex(int, int, Indexed)} - * . <br> - * <br> - * <b>Throws:</b> {@link IllegalArgumentException} if - * <code>numberOfItems</code> is < 0 <br> - * <b>Throws:</b> {@link IndexOutOfBoundsException} if - * <code>startIndex</code> is outside the range of the container. (i.e. - * <code>startIndex < 0 || container.size()-1 < startIndex</code>) * * @param startIndex * the index for the first item which id to include @@ -529,6 +521,14 @@ public interface Container extends Serializable { * @return List containing the requested item ids or empty list if * <code>numberOfItems</code> == 0; not null * + * @throws IllegalArgumentException + * if <code>numberOfItems</code> is < 0 + * @throws IndexOutOfBoundsException + * if <code>startIndex</code> is outside the range of the + * container. (i.e. + * <code>startIndex < 0 || container.size()-1 < startIndex</code> + * ) + * * @since 7.0 */ public List<?> getItemIds(int startIndex, int numberOfItems); @@ -777,7 +777,6 @@ public interface Container extends Serializable { * Note that being a leaf does not imply whether or not an Item is * allowed to have children. * </p> - * . * * @param itemId * ID of the Item to be tested @@ -849,15 +848,15 @@ public interface Container extends Serializable { /** * Add a filter for given property. - * + * <p> * The API {@link Filterable#addContainerFilter(Filter)} is recommended * instead of this method. A {@link SimpleStringFilter} can be used with * the new API to implement the old string filtering functionality. - * + * <p> * The filter accepts items for which toString() of the value of the * given property contains or starts with given filterString. Other * items are not visible in the container when filtered. - * + * <p> * If a container has multiple filters, only items accepted by all * filters are visible. * @@ -890,17 +889,17 @@ public interface Container extends Serializable { /** * Filter interface for container filtering. - * + * <p> * If a filter does not support in-memory filtering, * {@link #passesFilter(Item)} should throw * {@link UnsupportedOperationException}. - * + * <p> * Lazy containers must be able to map filters to their internal * representation (e.g. SQL or JPA 2.0 Criteria). - * + * <p> * An {@link UnsupportedFilterException} can be thrown by the container if a * particular filter is not supported by the container. - * + * <p> * An {@link Filter} should implement {@link #equals(Object)} and * {@link #hashCode()} correctly to avoid duplicate filter registrations * etc. @@ -984,7 +983,7 @@ public interface Container extends Serializable { public interface Filterable extends Container, Serializable { /** * Adds a filter for the container. - * + * <p> * If a container has multiple filters, only items accepted by all * filters are visible. * @@ -996,7 +995,7 @@ public interface Container extends Serializable { /** * Removes a filter from the container. - * + * <p> * This requires that the equals() method considers the filters as * equivalent (same instance or properly implemented equals() method). */ @@ -1077,7 +1076,7 @@ public interface Container extends Serializable { /** * Container Item set change listener interface. - * + * <p> * An item set change refers to addition, removal or reordering of items in * the container. A simple property value change is not an item set change. */ @@ -1098,7 +1097,7 @@ public interface Container extends Serializable { * listeners. By implementing this interface a class explicitly announces * that it will generate a <code>ItemSetChangeEvent</code> when its contents * are modified. - * + * <p> * An item set change refers to addition, removal or reordering of items in * the container. A simple property value change is not an item set change. * @@ -1151,7 +1150,7 @@ public interface Container extends Serializable { /** * An <code>Event</code> object specifying the Container whose Property set * has changed. - * + * <p> * A property set change means the addition, removal or other structural * changes to the properties of a container. Changes concerning the set of * items in the container and their property values are not property set @@ -1170,7 +1169,7 @@ public interface Container extends Serializable { /** * The listener interface for receiving <code>PropertySetChangeEvent</code> * objects. - * + * <p> * A property set change means the addition, removal or other structural * change of the properties (supported property IDs) of a container. Changes * concerning the set of items in the container and their property values diff --git a/uitest/integration_tests.xml b/uitest/integration_tests.xml index 9f639b9cb5..77c5a94e26 100644 --- a/uitest/integration_tests.xml +++ b/uitest/integration_tests.xml @@ -133,6 +133,12 @@ <param name="target-server" value="tomcat7" /> </antcall> </target> + <target name="integration-test-tomcat7apacheproxy"> + <antcall target="run-generic-integration-test"> + <param name="startDelay" value="10" /> + <param name="target-server" value="tomcat7apacheproxy" /> + </antcall> + </target> <target name="integration-test-tomcat8"> <antcall target="run-generic-integration-test"> <param name="startDelay" value="10" /> @@ -219,6 +225,12 @@ <param name="target-server" value="jbosseap6" /> </antcall> </target> + <target name="integration-test-wildfly8"> + <antcall target="run-generic-integration-test"> + <param name="startDelay" value="10" /> + <param name="target-server" value="wildfly8" /> + </antcall> + </target> <target name="integration-test-glassfish2"> <antcall target="run-generic-integration-test"> @@ -415,6 +427,7 @@ <antcall target="integration-test-jboss6" /> <antcall target="integration-test-jboss7" /> <antcall target="integration-test-jboss-eap6" /> + <antcall target="integration-test-wildfly8" /> <antcall target="integration-test-jetty5" /> <antcall target="integration-test-jetty6" /> <antcall target="integration-test-jetty7" /> @@ -424,6 +437,7 @@ <antcall target="integration-test-tomcat6" /> <antcall target="integration-test-tomcat7" /> <antcall target="integration-test-tomcat8" /> + <antcall target="integration-test-tomcat7apacheproxy" /> <antcall target="integration-test-websphere8" /> </parallel> diff --git a/uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUI.java b/uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUI.java new file mode 100644 index 0000000000..d6def8d69c --- /dev/null +++ b/uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUI.java @@ -0,0 +1,29 @@ +/* + * Copyright 2000-2013 Vaadin Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ +package com.vaadin.tests.integration; + +import com.vaadin.annotations.Push; + +/** + * Server test which uses the default push mechanisms + * + * @since 7.1.12 + * @author Vaadin Ltd + */ +@Push +public class ServletIntegrationDefaultPushUI extends ServletIntegrationUI { + +} diff --git a/uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUITest.java b/uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUITest.java new file mode 100644 index 0000000000..5f50cdb95d --- /dev/null +++ b/uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUITest.java @@ -0,0 +1,21 @@ +/* + * Copyright 2000-2013 Vaadin Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ +package com.vaadin.tests.integration; + +public class ServletIntegrationDefaultPushUITest extends + AbstractServletIntegrationTest { + // Uses the test method declared in the super class +}
\ No newline at end of file |