Commit c41a8e16 authored by Daryl Herzmann's avatar Daryl Herzmann Committed by akrherz

OF-49: Check the username parameter and make sure it is escaped, just like

how the admin console does it.


git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@11178 b35dd754-fafc-0310-a699-88a17e54d16e
parent dd798ab6
...@@ -44,6 +44,12 @@ ...@@ -44,6 +44,12 @@
User Service Plugin Changelog User Service Plugin Changelog
</h1> </h1>
<p><b>1.3.2</b> -- August 19, 2009</p>
<ul>
<li>String sanitize username, so that escaped JIDs work. Author: Daryl Herzmann</li>
</ul>
<p><b>1.3.1</b> -- August 12, 2008</p> <p><b>1.3.1</b> -- August 12, 2008</p>
<ul> <ul>
<li>Added support for lockout (type=disable) and unlock (type=enable). Author: Daryl Herzmann</li> <li>Added support for lockout (type=disable) and unlock (type=enable). Author: Daryl Herzmann</li>
......
...@@ -5,8 +5,8 @@ ...@@ -5,8 +5,8 @@
<name>User Service</name> <name>User Service</name>
<description>Allows administration of users via HTTP requests.</description> <description>Allows administration of users via HTTP requests.</description>
<author>Justin Hunt</author> <author>Justin Hunt</author>
<version>1.3.1</version> <version>1.3.2</version>
<date>06/16/2009</date> <date>08/19/2009</date>
<minServerVersion>3.5.1</minServerVersion> <minServerVersion>3.5.1</minServerVersion>
<adminconsole> <adminconsole>
......
...@@ -18,7 +18,9 @@ import org.jivesoftware.openfire.user.UserAlreadyExistsException; ...@@ -18,7 +18,9 @@ import org.jivesoftware.openfire.user.UserAlreadyExistsException;
import org.jivesoftware.util.Log; import org.jivesoftware.util.Log;
import org.jivesoftware.openfire.plugin.UserServicePlugin; import org.jivesoftware.openfire.plugin.UserServicePlugin;
import org.jivesoftware.admin.AuthCheckFilter; import org.jivesoftware.admin.AuthCheckFilter;
import org.jivesoftware.stringprep.Stringprep;
import org.xmpp.packet.JID;
import javax.servlet.ServletConfig; import javax.servlet.ServletConfig;
import javax.servlet.ServletException; import javax.servlet.ServletException;
...@@ -102,8 +104,19 @@ public class UserServiceServlet extends HttpServlet { ...@@ -102,8 +104,19 @@ public class UserServiceServlet extends HttpServlet {
replyError("RequestNotAuthorised",response, out); replyError("RequestNotAuthorised",response, out);
return; return;
} }
// Some checking is required on the username
if (username == null){
replyError("IllegalArgumentException",response, out);
return;
}
// Check the request type and process accordingly // Check the request type and process accordingly
try { try {
username = username.trim().toLowerCase();
username = JID.escapeNode(username);
username = Stringprep.nodeprep(username);
if ("add".equals(type)) { if ("add".equals(type)) {
plugin.createUser(username, password, name, email, groupNames); plugin.createUser(username, password, name, email, groupNames);
replyMessage("ok",response, out); replyMessage("ok",response, out);
...@@ -169,4 +182,4 @@ public class UserServiceServlet extends HttpServlet { ...@@ -169,4 +182,4 @@ public class UserServiceServlet extends HttpServlet {
// Release the excluded URL // Release the excluded URL
AuthCheckFilter.removeExclude("userService/userservice"); AuthCheckFilter.removeExclude("userService/userservice");
} }
} }
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment