OF-49: Check the username parameter and make sure it is escaped, just like

how the admin console does it. git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@11178 b35dd754-fafc-0310-a699-88a17e54d16e

OF-49: Check the username parameter and make sure it is escaped, just like
how the admin console does it. git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@11178 b35dd754-fafc-0310-a699-88a17e54d16e
c41a8e16 · Daryl Herzmann · akrherz · dd798ab6 · c41a8e16 · c41a8e16
Commit c41a8e16 authored Aug 19, 2009 by Daryl Herzmann Committed by akrherz Aug 19, 2009
Showing with 22 additions and 3 deletions

changelog.html src/plugins/userservice/changelog.html +6 -0

plugin.xml src/plugins/userservice/plugin.xml +2 -2

UserServiceServlet.java ...tware/openfire/plugin/userService/UserServiceServlet.java +14 -1

No files found.
--- a/src/plugins/userservice/changelog.html
+++ b/src/plugins/userservice/changelog.html
@@ -44,6 +44,12 @@
 User Service Plugin Changelog
 </h1>
+<p><b>1.3.2</b> -- August 19, 2009</p>
+<ul>
+    <li>String sanitize username, so that escaped JIDs work. Author: Daryl Herzmann</li>
+</ul>
 <p><b>1.3.1</b> -- August 12, 2008</p>
 <ul>
    <li>Added support for lockout (type=disable) and unlock (type=enable). Author: Daryl Herzmann</li>

--- a/src/plugins/userservice/plugin.xml
+++ b/src/plugins/userservice/plugin.xml
@@ -5,8 +5,8 @@
    <name>User Service</name>
    <description>Allows administration of users via HTTP requests.</description>
    <author>Justin Hunt</author>
-    <version>1.3.1</version>
+    <version>1.3.2</version>
-    <date>06/16/2009</date>
+    <date>08/19/2009</date>
    <minServerVersion>3.5.1</minServerVersion>
    <adminconsole>		

--- a/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/userService/UserServiceServlet.java
+++ b/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/userService/UserServiceServlet.java
@@ -18,7 +18,9 @@ import org.jivesoftware.openfire.user.UserAlreadyExistsException;
 import org.jivesoftware.util.Log;
 import org.jivesoftware.openfire.plugin.UserServicePlugin;
 import org.jivesoftware.admin.AuthCheckFilter;
+import org.jivesoftware.stringprep.Stringprep;
+import org.xmpp.packet.JID;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
@@ -102,8 +104,19 @@ public class UserServiceServlet extends HttpServlet {
            replyError("RequestNotAuthorised",response, out);
            return;
         }
+        // Some checking is required on the username
+        if (username == null){
+            replyError("IllegalArgumentException",response, out);
+            return;
+        }
        // Check the request type and process accordingly
        try {
+            username = username.trim().toLowerCase();
+            username = JID.escapeNode(username);
+            username = Stringprep.nodeprep(username);
            if ("add".equals(type)) {
                plugin.createUser(username, password, name, email, groupNames);
                replyMessage("ok",response, out);