Filter out %2E urls.

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@10891 b35dd754-fafc-0310-a699-88a17e54d16e

src/java/org/jivesoftware/admin/AuthCheckFilter.java

@@ -77,7 +77,7 @@ public class AuthCheckFilter implements Filter {
         if (exclude.endsWith("*")) {
             if (url.startsWith(exclude.substring(0, exclude.length()-1))) {
                 // Now make sure that there are no ".." characters in the rest of the URL.
-                if (!url.contains("..")) {
+                if (!url.contains("..") && !url.toLowerCase().contains("%2e")) {
                     return true;
                 }
             }

src/java/org/jivesoftware/openfire/clearspace/ClearspaceManager.java

@@ -345,7 +345,7 @@ public class ClearspaceManager extends BasicModule implements ExternalComponentM
     /**
      * Tests the web services connection with Clearspace given the manager's current configuration.
      *
-     * @return The exception or unll if connection test was successful.
+     * @return The exception or null if connection test was successful.
      */
     public Throwable testConnection() {
         // Test invoking a simple method

src/test/java/org/jivesoftware/admin/AuthCheckFilterTest.java

@@ -20,6 +20,7 @@ public class AuthCheckFilterTest extends TestCase {
         assertFalse(AuthCheckFilter.testURLPassesExclude("login.jsp?logout=false&another=true", "login.jsp?logout=false"));
 
         assertFalse(AuthCheckFilter.testURLPassesExclude("setup/setup-/../../log.jsp?log=info&mode=asc&lines=All","setup/setup-*"));
+        assertFalse(AuthCheckFilter.testURLPassesExclude("setup/setup-/%2E/%2E/log.jsp?log=info&mode=asc&lines=All","setup/setup-*"));
 
         assertTrue(AuthCheckFilter.testURLPassesExclude("setup/setup-new.jsp","setup/setup-*"));