Commit 277f3f21 authored by Dave Cridland's avatar Dave Cridland

Merge pull request #89 from tevans/master

OF-807 + OF-670: Prep for 3.10.0
parents 27ccb695 8baf255a
......@@ -74,6 +74,7 @@ import org.xmpp.packet.IQ;
import org.xmpp.packet.JID;
import org.xmpp.packet.Message;
import org.xmpp.packet.Packet;
import org.xmpp.packet.PacketError;
import org.xmpp.packet.Presence;
import org.xmpp.resultsetmanagement.ResultSet;
......@@ -308,10 +309,18 @@ public class MultiUserChatServiceImpl implements Component, MultiUserChatService
return;
}
}
// The packet is a normal packet that should possibly be sent to the room
JID receipient = packet.getTo();
String roomName = receipient != null ? receipient.getNode() : null;
getChatUser(packet.getFrom(), roomName).process(packet);
// OF-670: Kick MUC users who return permanent error conditions;
// also detects S2S-based users from non-responsive domains.
if (packet.getError() != null &&
packet.getError().getType().equals(PacketError.Type.cancel)) {
removeUser(packet.getFrom());
}
else {
// The packet is a normal packet that should possibly be sent to the room
JID receipient = packet.getTo();
String roomName = receipient != null ? receipient.getNode() : null;
getChatUser(packet.getFrom(), roomName).process(packet);
}
}
catch (Exception e) {
Log.error(LocaleUtils.getLocalizedString("admin.error"), e);
......
......@@ -20,9 +20,11 @@
package org.jivesoftware.util;
import java.io.UnsupportedEncodingException;
import java.net.IDN;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.text.BreakIterator;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
......@@ -52,7 +54,7 @@ public class StringUtils {
private static final char[] AMP_ENCODE = "&".toCharArray();
private static final char[] LT_ENCODE = "<".toCharArray();
private static final char[] GT_ENCODE = ">".toCharArray();
private StringUtils() {
// Not instantiable.
}
......@@ -1118,6 +1120,28 @@ public class StringUtils {
}
}
/**
* Returns a valid domain name, possibly as an ACE-encoded IDN
* (per <a href="http://www.ietf.org/rfc/rfc3490.txt">RFC 3490</a>).
*
* @param domain Proposed domain name
* @return The validated domain name, possibly ACE-encoded
* @throws IllegalArgumentException The given domain name is not valid
*/
public static String validateDomainName(String domain) {
if (domain == null || domain.trim().length() == 0) {
throw new IllegalArgumentException("Domain name cannot be null or empty");
}
String result = IDN.toASCII(domain);
if (result.equals(domain)) {
// no conversion; validate again via USE_STD3_ASCII_RULES
IDN.toASCII(domain, IDN.USE_STD3_ASCII_RULES);
} else {
Log.info(MessageFormat.format("Converted domain name: from '{0}' to '{1}'", domain, result));
}
return result;
}
/**
* Removes characters likely to enable Cross Site Scripting attacks from the
* provided input string. The characters that are removed from the input
......
package org.jivesoftware.util;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;
import org.junit.Test;
public class StringUtilsTest {
@Test
public void testValidDomainNames() {
assertValidDomainName("www.mycompany.com");
assertValidDomainName("www.my-company.com");
assertValidDomainName("abc.de");
assertValidDomainName("tronçon.be", "xn--tronon-zua.be");
assertValidDomainName("öbb.at", "xn--bb-eka.at");
}
@Test
public void testInvalidDomainNames() {
assertInvalidDomainName("www.my_company.com", "Contains non-LDH characters");
assertInvalidDomainName("www.-dash.com", "Has leading or trailing hyphen");
assertInvalidDomainName("www.dash-.com", "Has leading or trailing hyphen");
assertInvalidDomainName("abc.<test>.de", "Contains non-LDH characters");
}
private void assertValidDomainName(String domain) {
assertValidDomainName(domain, domain);
}
private void assertValidDomainName(String domain, String expected) {
assertEquals("Domain should be valid: " + domain, expected, StringUtils.validateDomainName(domain));
}
private void assertInvalidDomainName(String domain, String expectedCause) {
try {
StringUtils.validateDomainName(domain);
fail("Domain should not be valid: " + domain);
} catch (IllegalArgumentException iae) {
// this is not part of the official API, so leave off for now
//assertEquals("Unexpected cause: " + iae.getMessage(), expectedCause, iae.getMessage());
}
}
}
......@@ -46,11 +46,8 @@
boolean serverAllowed = request.getParameter("serverAllowed") != null;
boolean serverBlocked = request.getParameter("serverBlocked") != null;
String domain = ParamUtils.getParameter(request,"domain");
// OF-671
if (domain != null) {
domain = StringUtils.removeXSSCharacters(domain);
}
String remotePort = ParamUtils.getParameter(request,"remotePort");
String remotePort = ParamUtils.getParameter(request,"remotePort");
boolean updateSucess = false;
boolean allowSuccess = false;
boolean blockSuccess = false;
......@@ -139,8 +136,10 @@
if (serverAllowed) {
int intRemotePort = 0;
// Validate params
if (domain == null || domain.trim().length() == 0) {
errors.put("domain","");
try {
StringUtils.validateDomainName(domain);
} catch (IllegalArgumentException iae) {
errors.put("domain", "");
}
if (remotePort == null || remotePort.trim().length() == 0 || "0".equals(remotePort)) {
errors.put("remotePort","");
......@@ -167,8 +166,10 @@
if (serverBlocked) {
// Validate params
if (domain == null || domain.trim().length() == 0) {
errors.put("domain","");
try {
StringUtils.validateDomainName(domain);
} catch (IllegalArgumentException iae) {
errors.put("domain", "");
}
// If no errors, continue:
if (errors.isEmpty()) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment