Commit 69549784 authored by Daniel Henninger's avatar Daniel Henninger Committed by dhenninger

Fixed minor issue with with login screen escaping username where it shouldn't.

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@10805 b35dd754-fafc-0310-a699-88a17e54d16e
parent 202fc033
...@@ -46,12 +46,6 @@ ...@@ -46,12 +46,6 @@
<% // get parameters <% // get parameters
String username = ParamUtils.getParameter(request, "username"); String username = ParamUtils.getParameter(request, "username");
if (username != null) {
username = JID.escapeNode(username);
}
// Escape HTML tags in username to prevent cross-site scripting attacks. This
// is necessary because we display the username in the page below.
username = org.jivesoftware.util.StringUtils.escapeHTMLTags(username);
String password = ParamUtils.getParameter(request, "password"); String password = ParamUtils.getParameter(request, "password");
String url = ParamUtils.getParameter(request, "url"); String url = ParamUtils.getParameter(request, "url");
...@@ -70,34 +64,38 @@ ...@@ -70,34 +64,38 @@
Map<String, String> errors = new HashMap<String, String>(); Map<String, String> errors = new HashMap<String, String>();
if (ParamUtils.getBooleanParameter(request, "login")) { if (ParamUtils.getBooleanParameter(request, "login")) {
String loginUsername = username;
if (loginUsername != null) {
loginUsername = JID.escapeNode(loginUsername);
}
try { try {
if (LoginLimitManager.getInstance().hasHitConnectionLimit(username, request.getRemoteAddr())) { if (LoginLimitManager.getInstance().hasHitConnectionLimit(loginUsername, request.getRemoteAddr())) {
throw new UnauthorizedException("User '" + username +"' or address '" + request.getRemoteAddr() + "' has his login attempt limit."); throw new UnauthorizedException("User '" + loginUsername +"' or address '" + request.getRemoteAddr() + "' has his login attempt limit.");
} }
if (!AdminManager.getInstance().isUserAdmin(username, true)) { if (!AdminManager.getInstance().isUserAdmin(loginUsername, true)) {
throw new UnauthorizedException("User '" + username + "' not allowed to login."); throw new UnauthorizedException("User '" + loginUsername + "' not allowed to login.");
} }
if (secret != null && nodeID != null) { if (secret != null && nodeID != null) {
if (StringUtils.hash(AdminConsolePlugin.secret).equals(secret) && ClusterManager.isClusterMember(Base64.decode(nodeID, Base64.URL_SAFE))) { if (StringUtils.hash(AdminConsolePlugin.secret).equals(secret) && ClusterManager.isClusterMember(Base64.decode(nodeID, Base64.URL_SAFE))) {
authToken = new AuthToken(username); authToken = new AuthToken(loginUsername);
} }
else if ("clearspace".equals(nodeID) && ClearspaceManager.isEnabled()) { else if ("clearspace".equals(nodeID) && ClearspaceManager.isEnabled()) {
ClearspaceManager csmanager = ClearspaceManager.getInstance(); ClearspaceManager csmanager = ClearspaceManager.getInstance();
String sharedSecret = csmanager.getSharedSecret(); String sharedSecret = csmanager.getSharedSecret();
if (nonce == null || sharedSecret == null || !csmanager.isValidNonce(nonce) || if (nonce == null || sharedSecret == null || !csmanager.isValidNonce(nonce) ||
!StringUtils.hash(username + ":" + sharedSecret + ":" + nonce).equals(secret)) { !StringUtils.hash(loginUsername + ":" + sharedSecret + ":" + nonce).equals(secret)) {
throw new UnauthorizedException("SSO failed. Invalid secret was provided"); throw new UnauthorizedException("SSO failed. Invalid secret was provided");
} }
authToken = new AuthToken(username); authToken = new AuthToken(loginUsername);
} }
else { else {
throw new UnauthorizedException("SSO failed. Invalid secret or node ID was provided"); throw new UnauthorizedException("SSO failed. Invalid secret or node ID was provided");
} }
} }
else { else {
authToken = AuthFactory.authenticate(username, password); authToken = AuthFactory.authenticate(loginUsername, password);
} }
LoginLimitManager.getInstance().recordSuccessfulAttempt(username, request.getRemoteAddr()); LoginLimitManager.getInstance().recordSuccessfulAttempt(loginUsername, request.getRemoteAddr());
session.setAttribute("jive.admin.authToken", authToken); session.setAttribute("jive.admin.authToken", authToken);
response.sendRedirect(go(url)); response.sendRedirect(go(url));
return; return;
...@@ -144,6 +142,11 @@ ...@@ -144,6 +142,11 @@
errors.put("unauthorized", LocaleUtils.getLocalizedString("login.failed.unauthorized")); errors.put("unauthorized", LocaleUtils.getLocalizedString("login.failed.unauthorized"));
} }
} }
// Escape HTML tags in username to prevent cross-site scripting attacks. This
// is necessary because we display the username in the page below.
username = org.jivesoftware.util.StringUtils.escapeHTMLTags(username);
%> %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment