svn commit: r1500083 - in /struts/struts2/trunk: ./ apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/

Fri, 05 Jul 2013 10:48:06 -0700 

Author: rgielen
Date: Fri Jul  5 17:47:42 2013
New Revision: 1500083

URL: http://svn.apache.org/r1500083
Log:
Merged from STRUTS_2_3_15_X
WW-4136 - Demonstrate proper input sanitizing for file download showcase example
- added demo code to prevent input paths containing "WEB-INF" [from revision 
1500082]

Added:
    
struts/struts2/trunk/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/
      - copied from r1500082, 
struts/struts2/branches/STRUTS_2_3_15_X/apps/showcase/src/test/java/org/apache/struts2/showcase/filedownload/
Modified:
    struts/struts2/trunk/   (props changed)
    
struts/struts2/trunk/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java

Propchange: struts/struts2/trunk/
------------------------------------------------------------------------------
  Merged /struts/struts2/branches/STRUTS_2_3_15_X:r1500082

Modified: 
struts/struts2/trunk/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java?rev=1500083&r1=1500082&r2=1500083&view=diff
==============================================================================
--- 
struts/struts2/trunk/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java
 (original)
+++ 
struts/struts2/trunk/apps/showcase/src/main/java/org/apache/struts2/showcase/filedownload/FileDownloadAction.java
 Fri Jul  5 17:47:42 2013
@@ -39,7 +39,23 @@ public class FileDownloadAction implemen
        }
 
        public void setInputPath(String value) {
-               inputPath = value;
+               inputPath = sanitizeInputPath(value);
+       }
+
+       /**
+        * As the user modifiable parameter inputPath will be used to access 
server side resources, we want the path to be
+        * sanitized - in this case it is demonstrated to disallow inputPath 
parameter values containing "WEB-INF". Consider to
+        * use even stricter rules in production environments.
+        *
+        * @param value the raw parameter input value to sanitize
+        *
+        * @return the sanitized value; <tt>null</tt> if value contains an 
invalid path segment like WEB-INF
+        */
+       String sanitizeInputPath( String value ) {
+               if (value != null && value.toUpperCase().contains("WEB-INF")) {
+                       return null;
+               }
+               return value;
        }
 
        public InputStream getInputStream() throws Exception {

Reply via email to