Merge pull request #266 from surevine/dwd/xss-master

Address XSS issues in admin console and monitoring plugin (master)

src/plugins/monitoring/plugin.xml

@@ -5,7 +5,7 @@
     <name>Monitoring Service</name>
     <description>Monitors conversations and statistics of the server.</description>
     <author>Jive Software</author>
-    <version>1.4.4</version>
+    <version>1.4.5</version>
     <date>10/28/2014</date>
     <minServerVersion>3.9.0</minServerVersion>
     <databaseKey>monitoring</databaseKey>

src/plugins/monitoring/src/java/org/jivesoftware/openfire/archive/ConversationUtils.java

@@ -37,6 +37,7 @@ import org.jivesoftware.openfire.user.UserManager;
 import org.jivesoftware.util.JiveGlobals;
 import org.jivesoftware.util.LocaleUtils;
 import org.jivesoftware.util.NotFoundException;
+import org.jivesoftware.util.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xmpp.packet.JID;
@@ -328,8 +329,9 @@ public class ConversationUtils {
             if (conversation.getRoom() != null) {
                 from = message.getToJID().getResource();
             }
+            from = StringUtils.escapeHTMLTags(from);
             String cssLabel = cssLabels.get(message.getFromJID().toBareJID());
-            String body = message.getBody();
+            String body = StringUtils.escapeHTMLTags(message.getBody());
             builder.append("<tr valign=top>");
             if (!message.isRoomEvent()) {
                 builder.append("<td width=1% nowrap class=" + cssLabel + ">").append("[")

src/plugins/monitoring/src/web/archive-conversation-participants.jsp

@@ -7,6 +7,7 @@
 <%@ page import="org.jivesoftware.util.Log" %>
 <%@ page import="org.jivesoftware.util.NotFoundException" %>
 <%@ page import="org.jivesoftware.util.ParamUtils" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ page import="org.xmpp.packet.JID" %>
 <%@ page import="java.util.*" %>
 
@@ -179,14 +180,14 @@
             %>
             <tr>
                 
-                <td><%=nickname%> <i>(<%= server.isLocal(participant) && userManager.isRegisteredUser(participant) ? "<a href='/user-properties.jsp?username=" + participant.getNode() + "'>" + participant.toBareJID() + "</a>" : participant.toBareJID() %>)</i></td>
+                <td><%=StringUtils.escapeHTMLTags(nickname)%> <i>(<%= server.isLocal(participant) && userManager.isRegisteredUser(participant) ? "<a href='/user-properties.jsp?username=" + participant.getNode() + "'>" + participant.toBareJID() + "</a>" : participant.toBareJID() %>)</i></td>
 
                 <% if (it.hasNext()) {
                     participation = it.next();
                     nickname = participation[0];
                     participant = new  JID(participation[1]);
                 %>
-                <td><%=nickname%> <i>(<%= server.isLocal(participant) && userManager.isRegisteredUser(participant) ? "<a href='/user-properties.jsp?username=" + participant.getNode() + "'>" + participant.toBareJID() + "</a>" : participant.toBareJID() %>)</i></td>
+                <td><%=StringUtils.escapeHTMLTags(nickname)%> <i>(<%= server.isLocal(participant) && userManager.isRegisteredUser(participant) ? "<a href='/user-properties.jsp?username=" + participant.getNode() + "'>" + participant.toBareJID() + "</a>" : participant.toBareJID() %>)</i></td>
                 <% } else { %>
                 <td>&nbsp;</td>
                 <% } %>

src/plugins/monitoring/src/web/archive-search.jsp

@@ -514,14 +514,14 @@
         </tr>
         <tr>
             <td>
-                <input type="text" size="22" name="participant1" value="<%= participant1 != null ? participant1 :
+                <input type="text" size="22" name="participant1" value="<%= participant1 != null ? StringUtils.escapeForXML(participant1) :
                 LocaleUtils.getLocalizedString("archive.search.participants.any", "monitoring") %>" class="textfield"/>
             </td>
 
         </tr>
         <tr>
             <td>
-                <input type="text" size="22" name="participant2" value="<%= participant2 != null ? participant2 : anyText %>" class="textfield"/>
+                <input type="text" size="22" name="participant2" value="<%= participant2 != null ? StringUtils.escapeForXML(participant2) : anyText %>" class="textfield"/>
             </td>
 
         </tr>
@@ -546,7 +546,7 @@
             <td><fmt:message key="archive.search.daterange.start" /></td>
             <td>
                 <input type="text" id="startDate" name="startDate" size="13"
-                       value="<%= startDate != null ? startDate :
+                       value="<%= startDate != null ? StringUtils.escapeForXML(startDate) :
                        LocaleUtils.getLocalizedString("archive.search.daterange.any", "monitoring")%>" class="textfield"/><br/>
                 <span class="jive-description"><fmt:message key="archive.search.daterange.format" /></span>
             </td>
@@ -558,7 +558,7 @@
             <td><fmt:message key="archive.search.daterange.end" /></td>
             <td>
                 <input type="text" id="endDate" name="endDate" size="13"
-                       value="<%= endDate != null ? endDate :
+                       value="<%= endDate != null ? StringUtils.escapeForXML(endDate) :
                        LocaleUtils.getLocalizedString("archive.search.daterange.any", "monitoring") %>" class="textfield"/><br/>
                 <span class="jive-description"><fmt:message key="archive.search.daterange.format" /></span>
             </td>
@@ -586,7 +586,7 @@
         <tr>
             <td>
                 <% if(isArchiveEnabled){%>
-                <input type="text" name="keywords" size="35" class="keyword-field" value="<%= query != null ? query : ""%>"/>
+                <input type="text" name="keywords" size="35" class="keyword-field" value="<%= query != null ? StringUtils.escapeForXML(query) : ""%>"/>
                 <% } else { %>
                     <fmt:message key="archive.search.keywords.disabled">
                         <fmt:param value="<a href='archiving-settings.jsp'>" />

src/plugins/monitoring/src/web/conversations.jsp

@@ -131,7 +131,7 @@ function updateConversations(data) {
 <!-- <a href="#" onclick="conversationUpdater(); return false;">click me</a> -->
 <p>
     <fmt:message key="archive.conversations" />
-    <span id="activeConversations"><%= conversationManager.getConversationCount() %></span
+    <span id="activeConversations"><%= conversationManager.getConversationCount() %></span>
 </p>
 
 <%
@@ -169,9 +169,9 @@ function updateConversations(data) {
             <% if (conversation.getRoom() == null) { %>
                 <% for (JID jid : participants) { %>
                     <% if (server.isLocal(jid) && userManager.isRegisteredUser(jid.getNode())) { %>
-                        <a href="/user-properties.jsp?username=<%= jid.getNode() %>"><%= jid %></a><br />
+                        <a title='User Link' href="/user-properties.jsp?username=<%= jid.getNode() %>"><%= StringUtils.escapeHTMLTags(jid.toBareJID()) %></a><br />
                     <% } else { %>
-                        <%= jid.toBareJID() %><br/>
+                        <%= StringUtils.escapeHTMLTags(jid.toBareJID()) %><br/>
                     <% } %>
                 <% } %>
             <% } else { %>

src/web/WEB-INF/web.xml

@@ -8,6 +8,13 @@
 
     <display-name>Openfire</display-name>
 
+    <!--  OF-902 use HttpOnly for session cookie -->
+    <session-config>
+	 <cookie-config>
+	  <http-only>true</http-only>
+	 </cookie-config>
+	</session-config>
+
     <!-- prevent URL rewritting with jsessionid included, OF-669 -->
     <context-param>
         <param-name>org.eclipse.jetty.servlet.SessionIdPathParameterName</param-name>