JM-830 - LdapProvider, Manager, and LdapVCard Provider now escape and unescape usernames properly.

git-svn-id: http://svn.igniterealtime.org/svn/repos/wildfire/trunk@5372 b35dd754-fafc-0310-a699-88a17e54d16e

src/java/org/jivesoftware/wildfire/ldap/LdapAuthProvider.java

@@ -15,6 +15,7 @@ import org.jivesoftware.util.*;
 import org.jivesoftware.wildfire.auth.AuthProvider;
 import org.jivesoftware.wildfire.auth.UnauthorizedException;
 import org.jivesoftware.wildfire.user.UserNotFoundException;
+import org.xmpp.packet.JID;
 
 import javax.naming.CommunicationException;
 
@@ -67,6 +68,9 @@ public class LdapAuthProvider implements AuthProvider {
             throw new UnauthorizedException();
         }
 
+        // Un-escape username.
+        username = JID.unescapeNode(username);
+
         // If cache is enabled, see if the auth is in cache.
         if (authCache != null && authCache.containsKey(username)) {
             String hash = (String)authCache.get(username);

src/java/org/jivesoftware/wildfire/ldap/LdapAuthorizationProvider.java

@@ -14,6 +14,7 @@ package org.jivesoftware.wildfire.ldap;
 import org.jivesoftware.util.JiveGlobals;
 import org.jivesoftware.wildfire.sasl.AbstractAuthorizationProvider;
 import org.jivesoftware.wildfire.sasl.AuthorizationProvider;
+import org.xmpp.packet.JID;
 
 import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
@@ -69,6 +70,9 @@ public class LdapAuthorizationProvider extends AbstractAuthorizationProvider imp
      * @return A String Collection of principals that are authorized.
      */
     public Collection<String> getAuthorized(String username) {
+        // Un-escape Node
+        username = JID.unescapeNode(username);
+
         Collection<String> authorized = new ArrayList<String>();
         DirContext ctx = null;
         try {

src/java/org/jivesoftware/wildfire/ldap/LdapVCardProvider.java

@@ -126,6 +126,8 @@ public class LdapVCardProvider implements VCardProvider {
     }
 
     private Map<String, String> getLdapAttributes(String username) {
+        // Un-escape username
+        username = JID.unescapeNode(username);
         HashMap<String, String> map = new HashMap<String, String>();
 
         DirContext ctx = null;

src/web/decorators/main.jsp

@@ -12,7 +12,7 @@
                  org.jivesoftware.admin.AdminConsole,
                  org.jivesoftware.util.LocaleUtils"
     errorPage="../error.jsp"
-%>
+%><%@ page import="org.xmpp.packet.JID"%>
 
 <%@ taglib uri="admin" prefix="admin" %>
 <%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %>
@@ -90,7 +90,7 @@
 		<strong>Administration Console</strong>
 	</div>
 	<div id="jive-logout" style="float: right;">
-		<a href="<%= path %>/index.jsp?logout=true"><%= LocaleUtils.getLocalizedString("global.logout") %> [<%= StringUtils.escapeHTMLTags(webManager.getUser().getUsername()) %>]</a>
+		<a href="<%= path %>/index.jsp?logout=true"><%= LocaleUtils.getLocalizedString("global.logout") %> [<%= StringUtils.escapeHTMLTags(JID.unescapeNode(webManager.getUser().getUsername())) %>]</a>
 	</div>
 	<div id="jive-tabs">
 		<admin:tabs css="" currentcss="currentlink">

src/web/group-edit.jsp

@@ -142,6 +142,17 @@
             username = username.trim();
             username = username.toLowerCase();
 
+            if(username.indexOf('@') != -1){
+                try {
+                    UserManager.getInstance().getUser(JID.escapeNode(username));
+                    // That means that this user has an email address as their node.
+                    username = JID.escapeNode(username);
+                }
+                catch (UserNotFoundException e) {
+
+                }
+            }
+
             // Add to group as member by default.
             try {
                 boolean added = false;
@@ -525,7 +536,7 @@
 
                     </td>
                     <% if (user != null) { %>
-                    <td><a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"><%= user.getUsername() %></a><% if (!isLocal) { showRemoteJIDsWarning = true; %> <font color="red"><b>*</b></font><%}%></td>
+                    <td><a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"><%= JID.unescapeNode(user.getUsername()) %></a><% if (!isLocal) { showRemoteJIDsWarning = true; %> <font color="red"><b>*</b></font><%}%></td>
                     <% } else { %>
                     <td><%= jid %><% showRemoteJIDsWarning = true; %> <font color="red"><b>*</b></font></td>
                     <% } %>

src/web/login.jsp

@@ -49,6 +49,9 @@
 
 <%	// get parameters
     String username = ParamUtils.getParameter(request,"username");
+    if(username != null){
+        username = JID.escapeNode(username);
+    }
     // Escape HTML tags in username to prevent cross-site scripting attacks. This
     // is necessary because we display the username in the page below.
     username = org.jivesoftware.util.StringUtils.escapeHTMLTags(username);

src/web/session-details.jsp

@@ -113,7 +113,7 @@
 
             <%  } else { %>
 
-                <a href="user-properties.jsp?username=<%= URLEncoder.encode(n, "UTF-8") %>"><%= n %></a>
+                <a href="user-properties.jsp?username=<%= URLEncoder.encode(n, "UTF-8") %>"><%= JID.unescapeNode(n) %></a>
                 - <%= address.getResource()==null?"":StringUtils.escapeForXML(address.getResource()) %>
 
             <%  } %>

src/web/session-row.jspf

@@ -7,7 +7,7 @@
                  org.xmpp.packet.Presence,
                  java.net.URLEncoder,
                  org.jivesoftware.util.LocaleUtils,
-                 org.jivesoftware.util.StringUtils"%>
+                 org.jivesoftware.util.StringUtils"%><%@ page import="org.xmpp.packet.JID"%>
 
 <%--
   - This page is meant to be included in other pages. It assumes 2 variables:
@@ -32,7 +32,7 @@
     <td width="10%" nowrap>
         <%  String name = sess.getAddress().getNode(); %>
             <a href="session-details.jsp?jid=<%= URLEncoder.encode(sess.getAddress().toString(), "UTF-8") %>" title="<fmt:message key="session.row.cliked" />"
-             ><%= ((name != null && !"".equals(name)) ? name : "<i>"+LocaleUtils.getLocalizedString("session.details.anonymous")+"</i>") %></a>
+             ><%= ((name != null && !"".equals(name)) ? JID.unescapeNode(name): "<i>"+LocaleUtils.getLocalizedString("session.details.anonymous")+"</i>") %></a>
     </td>
     <td width="15%" nowrap>
         <%= StringUtils.escapeForXML(sess.getAddress().getResource()) %>

src/web/user-create.jsp

@@ -16,7 +16,7 @@
     errorPage="error.jsp"
 %>
 <%@ page import="java.util.Map"%>
-<%@ page import="java.util.HashMap"%>
+<%@ page import="java.util.HashMap"%><%@ page import="org.xmpp.packet.JID"%>
 
 <%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %>
@@ -50,6 +50,7 @@
         else {
             try {
                 username = username.trim().toLowerCase();
+                username = JID.escapeNode(username);
                 username = Stringprep.nodeprep(username);
             }
             catch (StringprepException se) {

src/web/user-edit-form.jsp

@@ -12,7 +12,7 @@
                  org.jivesoftware.wildfire.user.*,
                  java.net.URLEncoder"
     errorPage="error.jsp"
-%>
+%><%@ page import="org.xmpp.packet.JID"%>
 
 <%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %>
@@ -87,7 +87,7 @@
                 <fmt:message key="user.create.username" />:
             </td>
             <td>
-                <%= user.getUsername() %>
+                <%= JID.unescapeNode(user.getUsername()) %>
             </td>
         </tr>
         <tr>

src/web/user-properties.jsp

@@ -20,7 +20,7 @@
 <%@ page import="java.net.URLEncoder"%>
 <%@ page import="java.util.Collection"%>
 <%@ page import="java.util.Iterator"%>
-<%@ page import="org.jivesoftware.wildfire.user.UserManager"%>
+<%@ page import="org.jivesoftware.wildfire.user.UserManager"%><%@ page import="org.xmpp.packet.JID"%>
 
 <%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %>
@@ -119,7 +119,7 @@
             <fmt:message key="user.create.username" />:
         </td>
         <td>
-            <%= user.getUsername() %>
+            <%= JID.unescapeNode(user.getUsername()) %>
         </td>
     </tr>
     <tr>

src/web/user-search.jsp

@@ -8,7 +8,7 @@
                  java.util.HashMap,
                  java.util.Map,
                  java.net.URLEncoder"
-%>
+%><%@ page import="org.xmpp.packet.JID"%>
 
 <%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %>
@@ -19,6 +19,7 @@
     // Get parameters
     boolean search = ParamUtils.getBooleanParameter(request,"search");
     String username = ParamUtils.getParameter(request,"username");
+    username = JID.escapeNode(username);
 
     // Handle a cancel
     if (request.getParameter("cancel") != null) {

src/web/user-summary.jsp

@@ -16,7 +16,7 @@
                  org.xmpp.packet.Presence,
                  java.net.URLEncoder,
                  org.jivesoftware.util.JiveGlobals"
-%>
+%><%@ page import="org.xmpp.packet.JID"%>
 
 <%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %>
@@ -210,7 +210,7 @@
             <%  } %>
         </td>
         <td width="30%">
-            <a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"><%= user.getUsername() %></a>
+            <a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"><%= JID.unescapeNode(user.getUsername()) %></a>
         </td>
         <td width="40%">
             <%= user.getName() %> &nbsp;