Commit c41a8e16 authored by Daryl Herzmann's avatar Daryl Herzmann Committed by akrherz

OF-49: Check the username parameter and make sure it is escaped, just like

how the admin console does it.


git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@11178 b35dd754-fafc-0310-a699-88a17e54d16e
parent dd798ab6
......@@ -44,6 +44,12 @@
User Service Plugin Changelog
</h1>
<p><b>1.3.2</b> -- August 19, 2009</p>
<ul>
<li>String sanitize username, so that escaped JIDs work. Author: Daryl Herzmann</li>
</ul>
<p><b>1.3.1</b> -- August 12, 2008</p>
<ul>
<li>Added support for lockout (type=disable) and unlock (type=enable). Author: Daryl Herzmann</li>
......
......@@ -5,8 +5,8 @@
<name>User Service</name>
<description>Allows administration of users via HTTP requests.</description>
<author>Justin Hunt</author>
<version>1.3.1</version>
<date>06/16/2009</date>
<version>1.3.2</version>
<date>08/19/2009</date>
<minServerVersion>3.5.1</minServerVersion>
<adminconsole>
......
......@@ -18,7 +18,9 @@ import org.jivesoftware.openfire.user.UserAlreadyExistsException;
import org.jivesoftware.util.Log;
import org.jivesoftware.openfire.plugin.UserServicePlugin;
import org.jivesoftware.admin.AuthCheckFilter;
import org.jivesoftware.stringprep.Stringprep;
import org.xmpp.packet.JID;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
......@@ -102,8 +104,19 @@ public class UserServiceServlet extends HttpServlet {
replyError("RequestNotAuthorised",response, out);
return;
}
// Some checking is required on the username
if (username == null){
replyError("IllegalArgumentException",response, out);
return;
}
// Check the request type and process accordingly
try {
username = username.trim().toLowerCase();
username = JID.escapeNode(username);
username = Stringprep.nodeprep(username);
if ("add".equals(type)) {
plugin.createUser(username, password, name, email, groupNames);
replyMessage("ok",response, out);
......@@ -169,4 +182,4 @@ public class UserServiceServlet extends HttpServlet {
// Release the excluded URL
AuthCheckFilter.removeExclude("userService/userservice");
}
}
\ No newline at end of file
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment