Security fix. JM-1489

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@10870 b35dd754-fafc-0310-a699-88a17e54d16e

Security fix. JM-1489
git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@10870 b35dd754-fafc-0310-a699-88a17e54d16e
8b2e120f · Matt Tucker · matt · edcfb96b · 8b2e120f · 8b2e120f
Commit 8b2e120f authored Nov 13, 2008 by Matt Tucker Committed by matt Nov 13, 2008
Showing with 81 additions and 4 deletions

AuthCheckFilter.java src/java/org/jivesoftware/admin/AuthCheckFilter.java +50 -3

AuthCheckFilterTest.java ...test/java/org/jivesoftware/admin/AuthCheckFilterTest.java +30 -0

web.xml src/web/WEB-INF/web.xml +1 -1

No files found.
--- a/src/java/org/jivesoftware/admin/AuthCheckFilter.java
+++ b/src/java/org/jivesoftware/admin/AuthCheckFilter.java
@@ -55,6 +55,53 @@ public class AuthCheckFilter implements Filter {
        excludes.remove(exclude);
    }

+    /**
+     * Returns true if a URL passes an exclude rule.
+     *
+     * @param url the URL to test.
+     * @param exclude the exclude rule.
+     * @return true if the URL passes the exclude test.
+     */
+    public static boolean testURLPassesExclude(String url, String exclude) {
+      //  login.jsp,index.jsp?logout=true,setup/index.jsp,setup/setup-*,.gif,.png,error-serverdown.jsp,
+      //  setup/clearspace-integration-prelogin.jsp
+
+        // If the exclude rule includes a "?" character, the url must exactly match the exclude rule.
+        // If the exclude rule does not contain the "?" character, we chop off everything starting at the first "?"
+        // in the URL and then the resulting url must exactly match the exclude rule. If the exclude ends with a "*"
+        // character then the URL is allowed if it exactly matches everything before the * and there are no ".."
+        // characters after the "*". All data in the URL before
+        // the "@" character is chopped.
+
+        if (url.contains("@")) {
+            url = url.substring(url.indexOf("@"));
+        }
+
+        if (exclude.endsWith("*")) {
+            if (url.startsWith(exclude.substring(0, exclude.length()-1))) {
+                // Now make sure that there are no ".." characters in the rest of the URL.
+                if (!url.contains("..")) {
+                    return true;
+                }
+            }
+        }
+        else if (exclude.contains("?")) {
+            if (url.equals(exclude)) {
+                return true;
+            }
+        }
+        else {
+            int paramIndex = url.indexOf("?");
+            if (paramIndex != -1) {
+                url = url.substring(0, paramIndex);
+            }
+            if (url.equals(exclude)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
    public void init(FilterConfig config) throws ServletException {
        context = config.getServletContext();
        defaultLoginPage = config.getInitParameter("defaultLoginPage");
@@ -79,11 +126,11 @@ public class AuthCheckFilter implements Filter {
            loginPage = request.getContextPath() + "/login.jsp";
        }
        // Get the page we're on:
-        String url = request.getRequestURL().toString();
+        String url = request.getRequestURI().substring(1);
        // See if it's contained in the exclude list. If so, skip filter execution
        boolean doExclude = false;
        for (String exclude : excludes) {
-            if (url.indexOf(exclude) > -1) {
+            if (testURLPassesExclude(url, exclude)) {
                doExclude = true;
                break;   
            }

--- a/src/test/java/org/jivesoftware/admin/AuthCheckFilterTest.java
+++ b/src/test/java/org/jivesoftware/admin/AuthCheckFilterTest.java
+package org.jivesoftware.admin;
+
+import junit.framework.TestCase;
+
+/**
+ * 
+ */
+public class AuthCheckFilterTest extends TestCase {
+
+    // login.jsp,index.jsp?logout=true,setup/index.jsp,setup/setup-,.gif,.png,error-serverdown.jsp
+
+    public void testExcludeRules() {
+        assertFalse(AuthCheckFilter.testURLPassesExclude("blahblah/login.jsp", "login.jsp"));
+        assertTrue(AuthCheckFilter.testURLPassesExclude("login.jsp", "login.jsp"));
+        assertTrue(AuthCheckFilter.testURLPassesExclude("login.jsp?yousuck&blah", "login.jsp"));
+        assertTrue(AuthCheckFilter.testURLPassesExclude("login.jsp?another=true&login.jsp?true", "login.jsp"));
+        assertFalse(AuthCheckFilter.testURLPassesExclude("blahblah/login.jsp", "login.jsp?logout=false"));
+        assertTrue(AuthCheckFilter.testURLPassesExclude("login.jsp?logout=false", "login.jsp?logout=false"));
+        assertFalse(AuthCheckFilter.testURLPassesExclude("login.jsp?logout=false&another=true", "login.jsp?logout=false"));
+        assertFalse(AuthCheckFilter.testURLPassesExclude("login.jsp?logout=false&another=true", "login.jsp?logout=false"));
+
+        assertFalse(AuthCheckFilter.testURLPassesExclude("setup/setup-/../../log.jsp?log=info&mode=asc&lines=All","setup/setup-*"));
+
+        assertTrue(AuthCheckFilter.testURLPassesExclude("setup/setup-new.jsp","setup/setup-*"));
+
+        // Let's get crafty by using an "@" symbol
+        assertFalse(AuthCheckFilter.testURLPassesExclude("login.jsp?@another.jsp", "login.jsp"));
+        assertFalse(AuthCheckFilter.testURLPassesExclude("another.jsp?login.jsp", "login.jsp"));
+    }
+}
--- a/src/web/WEB-INF/web.xml
+++ b/src/web/WEB-INF/web.xml
@@ -24,7 +24,7 @@
        <init-param>
            <param-name>excludes</param-name>
            <param-value>
-                login.jsp,index.jsp?logout=true,setup/index.jsp,setup/setup-,.gif,.png,error-serverdown.jsp,setup/clearspace-integration-prelogin.jsp
+                login.jsp,index.jsp?logout=true,setup/index.jsp,setup/setup-*,.gif,.png,error-serverdown.jsp,setup/clearspace-integration-prelogin.jsp
            </param-value>
        </init-param>
    </filter>