Apache
/
archiva
mirror of https://github.com/apache/archiva.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[MRM-1972] Adding additional encoding for name value 

(cherry picked from commit 8e5fdd4536)
This commit is contained in:
Martin Stockhammer 2019-03-10 11:36:06 +01:00
parent 6160966fa0
commit 2ade46ab20
2 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/main/java/org/apache/archiva/admin/repository/admin/DefaultArchivaAdministration.java
View File

@ -31,6 +31,8 @@ import org.apache.archiva.configuration.Configuration;
import org.apache.archiva.configuration.UserInterfaceOptions;
import org.apache.archiva.configuration.WebappConfiguration;
import org.apache.archiva.metadata.model.facets.AuditEvent;
import org.apache.commons.codec.net.URLCodec;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.maven.wagon.providers.http.HttpWagon;
@ -336,6 +338,10 @@ public class DefaultArchivaAdministration
}
private String convertName(String name) {
return StringEscapeUtils.escapeHtml( StringUtils.trimToEmpty( name ) );
}
@Override
public void setOrganisationInformation( OrganisationInformation organisationInformation )
throws RepositoryAdminException
@ -345,6 +351,7 @@ public class DefaultArchivaAdministration
Configuration configuration = getArchivaConfiguration( ).getConfiguration( );
if ( organisationInformation != null )
{
organisationInformation.setName( convertName( organisationInformation.getName() ));
org.apache.archiva.configuration.OrganisationInformation organisationInformationModel =
getModelMapper( ).map( organisationInformation,
org.apache.archiva.configuration.OrganisationInformation.class );

17
archiva-modules/archiva-base/archiva-repository-admin/archiva-repository-admin-default/src/test/java/org/apache/archiva/admin/repository/admin/ArchivaAdministrationTest.java
View File

@ -253,6 +253,23 @@ public class ArchivaAdministrationTest
}
@Test
public void badOrganisationName( )
{
try
{
OrganisationInformation newOrganisationInformation = new OrganisationInformation( );
newOrganisationInformation.setName( "/><svg/onload=alert(/url_xss/)>Test Org\"" );
archivaAdministration.setOrganisationInformation( newOrganisationInformation );
assertEquals("/&gt;&lt;svg/onload=alert(/url_xss/)&gt;Test Org&quot;", archivaAdministration.getOrganisationInformation().getName());
}
catch ( RepositoryAdminException e )
{
// OK
}
}
@Test
public void uiConfiguration()
throws Exception