From 577e703b6ee116a7a53dc48c7c22c43e1477217b Mon Sep 17 00:00:00 2001 From: Jayasheelan Kumar Date: Fri, 13 Apr 2018 16:01:04 +0530 Subject: [PATCH 1/5] Added README.txt for jar files --- samples/README.txt | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 samples/README.txt diff --git a/samples/README.txt b/samples/README.txt new file mode 100644 index 0000000..1a5fa9a --- /dev/null +++ b/samples/README.txt @@ -0,0 +1,15 @@ +The Samples Project is dependent of below jar files which needs to be downloaded and placed at the respective locations as detailed below: + +----------------------------------------------------------------------------------------------------------------------------------------------------------------- + JAR NAMES | Version | Destination Location | Notes +----------------------------------------------------------------------------------------------------------------------------------------------------------------- +1. jsft.jar | latest | ./eventdemo/WEB-INF/lib | Latest jar can be obtained from the target folder of respective module +2. commons-fileupload-1.0.jar | 1.0 | ./woodstock/examples/WEB-INF/lib | Jar can be obtained from apache repositories +3. webui-jsf-suntheme.jar | latest | ./DemoNBProject/web/WEB-INF/lib | This is woodstock jar which can be obtained from maven repositories +4. json2.jar | latest | ./DemoNBProject/web/WEB-INF/lib | This is from JSON.org which can be downloaded from maven repo +5. jsftemplating.jar | latest | ./DemoNBProject/web/WEB-INF/lib | Latest jar can be obtained from the target folder of respective module +6. webui-jsf.jar | latest | ./DemoNBProject/web/WEB-INF/lib | This is woodstock jar which can be obtained from maven repositories +7. jsftemplating-dynafaces-0.1.jar | 0.1 | ./DemoNBProject/web/WEB-INF/lib | This jar can be downloaded from the maven repo +8. jsftemplating-dt.jar | latest | ./DemoNBProject/ext-lib/ | Latest jar can be obtained from the target folder of respective module +9. ant-apt.jar | latest | ./DemoNBProject/ext-lib/ | Jar can be obtained from apache repositories +10.dataprovider.jar | latest | ./DemoNBProject/web/WEB-INF/lib | This jar can be downloaded from the maven repo From f89a979890be060e4370966c6ebe7dd9564988fc Mon Sep 17 00:00:00 2001 From: Jayasheelan Kumar Date: Fri, 13 Apr 2018 19:54:37 +0530 Subject: [PATCH 2/5] Updated the URL Normalize logic --- .../util/fileStreamer/ResourceContentSource.java | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/jsftemplating/src/main/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSource.java b/jsftemplating/src/main/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSource.java index ed8470e..e9b87f9 100755 --- a/jsftemplating/src/main/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSource.java +++ b/jsftemplating/src/main/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSource.java @@ -122,11 +122,8 @@ public static String normalize(String origPath) { // Normalize it... if ((path != null) && (path.length() > 0)) { path = path.replace('\\', '/'); - // Remove leading '/' chars - while ((path.length() > 0) && (path.charAt(0) == '/')) { - path = path.substring(1); - } - // Replace all double "//" with "/" + + // Replace all double "//" with "/" while (path.indexOf("//") != -1) { path = path.replace("//", "/"); } From a98f6136edcb31937899630a18da11fc25fb4ef7 Mon Sep 17 00:00:00 2001 From: Jayasheelan Kumar Date: Fri, 13 Apr 2018 19:58:08 +0530 Subject: [PATCH 3/5] Removing the draft README --- samples/README.txt | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 samples/README.txt diff --git a/samples/README.txt b/samples/README.txt deleted file mode 100644 index 1a5fa9a..0000000 --- a/samples/README.txt +++ /dev/null @@ -1,15 +0,0 @@ -The Samples Project is dependent of below jar files which needs to be downloaded and placed at the respective locations as detailed below: - ------------------------------------------------------------------------------------------------------------------------------------------------------------------ - JAR NAMES | Version | Destination Location | Notes ------------------------------------------------------------------------------------------------------------------------------------------------------------------ -1. jsft.jar | latest | ./eventdemo/WEB-INF/lib | Latest jar can be obtained from the target folder of respective module -2. commons-fileupload-1.0.jar | 1.0 | ./woodstock/examples/WEB-INF/lib | Jar can be obtained from apache repositories -3. webui-jsf-suntheme.jar | latest | ./DemoNBProject/web/WEB-INF/lib | This is woodstock jar which can be obtained from maven repositories -4. json2.jar | latest | ./DemoNBProject/web/WEB-INF/lib | This is from JSON.org which can be downloaded from maven repo -5. jsftemplating.jar | latest | ./DemoNBProject/web/WEB-INF/lib | Latest jar can be obtained from the target folder of respective module -6. webui-jsf.jar | latest | ./DemoNBProject/web/WEB-INF/lib | This is woodstock jar which can be obtained from maven repositories -7. jsftemplating-dynafaces-0.1.jar | 0.1 | ./DemoNBProject/web/WEB-INF/lib | This jar can be downloaded from the maven repo -8. jsftemplating-dt.jar | latest | ./DemoNBProject/ext-lib/ | Latest jar can be obtained from the target folder of respective module -9. ant-apt.jar | latest | ./DemoNBProject/ext-lib/ | Jar can be obtained from apache repositories -10.dataprovider.jar | latest | ./DemoNBProject/web/WEB-INF/lib | This jar can be downloaded from the maven repo From 8ef09917809a6765ba3072e6aed3976db690b67a Mon Sep 17 00:00:00 2001 From: kenpaulsen Date: Fri, 13 Apr 2018 10:25:31 -0700 Subject: [PATCH 4/5] Added a few simple test cases. --- .../ResourceContentSourceTest.java | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 jsftemplating/src/test/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSourceTest.java diff --git a/jsftemplating/src/test/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSourceTest.java b/jsftemplating/src/test/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSourceTest.java new file mode 100644 index 0000000..90177eb --- /dev/null +++ b/jsftemplating/src/test/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSourceTest.java @@ -0,0 +1,38 @@ +/** + * + */ +package com.sun.jsftemplating.util.fileStreamer; + +import org.junit.Assert; +import org.junit.Test; + +/** + * TestCase for ResourceContentSource. + */ +public class ResourceContentSourceTest { + + @Test(expected = IllegalArgumentException.class) + public void normalizeDoesNotAccessContextRootParent() { + final String testPath = "../bad/path"; + ResourceContentSource.normalize(testPath); + } + + @Test(expected = IllegalArgumentException.class) + public void normalizeDoesNotAccessContextRootParentWithLeadingSlash() { + final String testPath = "/../bad/path"; + ResourceContentSource.normalize(testPath); + } + + @Test(expected = IllegalArgumentException.class) + public void doesNotGoBackTooFar() { + final String testPath = "/path/../../../../too/many/backward"; + ResourceContentSource.normalize(testPath); + } + + @Test + public void removesExtraSlashesAndBackwardPaths() { + final String testPath = "//OK/path//with/extra/slashes/and/..//in/the/middle/"; + final String result = ResourceContentSource.normalize(testPath); + Assert.assertEquals("Wrong result", "OK/path/with/extra/slashes/in/the/middle", result); + } +} From cc5b4812c6ab25238bacf297e814d9b776a45fa6 Mon Sep 17 00:00:00 2001 From: Jayasheelan Kumar Date: Mon, 16 Apr 2018 14:55:54 +0530 Subject: [PATCH 5/5] Updating with few fixes --- .../fileStreamer/ResourceContentSource.java | 72 ++++++++++--------- 1 file changed, 38 insertions(+), 34 deletions(-) diff --git a/jsftemplating/src/main/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSource.java b/jsftemplating/src/main/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSource.java index e9b87f9..703b002 100755 --- a/jsftemplating/src/main/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSource.java +++ b/jsftemplating/src/main/java/com/sun/jsftemplating/util/fileStreamer/ResourceContentSource.java @@ -117,45 +117,49 @@ public String getResourcePath(Context ctx) { * security reasons.

*/ public static String normalize(String origPath) { - String path = origPath; + String path = origPath; - // Normalize it... - if ((path != null) && (path.length() > 0)) { - path = path.replace('\\', '/'); + // Normalize it... + if ((path != null) && (path.length() > 0)) { + path = path.replace('\\', '/'); - // Replace all double "//" with "/" - while (path.indexOf("//") != -1) { - path = path.replace("//", "/"); + if (path.charAt(0) != '/') { + path = ("/").concat(path); } - for (int idx = path.indexOf("/../"); idx != -1; idx = path.indexOf("/../")) { - if (idx == 0) { - // Make sure we're not trying to go before the context root - LogUtil.info("JSFT0010", origPath); - throw new IllegalArgumentException( - "Invalid Resource Path: '" + origPath + "'"); - } - // Create new path after evaluating ".." - int prevPathIdx = path.lastIndexOf('/', idx-2) + 1; - path = path.substring(0, prevPathIdx) // before x/../ - + path.substring(idx + 4); // after x/../ - while ((path.length() > 0) && (path.charAt(0) == '/')) { - // Remove leading '/' chars - path = path.substring(1); - } + // Replace all double "//" with "/" + if (path.contains("//")) { + path = path.replaceAll("//", "/"); + } + for (int idx = path.indexOf("/../"); idx != -1; idx = path.indexOf("/../")) { + if (idx == 0) { + // Make sure we're not trying to go before the context root + LogUtil.info("JSFT0010", origPath); + throw new IllegalArgumentException( + "Invalid Resource Path: '" + origPath + "'"); + } + // Create new path after evaluating ".." + int prevPathIdx = path.lastIndexOf('/', idx - 2) + 1; + path = path.substring(0, prevPathIdx) // before x/../ + + path.substring(idx + 4); // after x/../ } - // We check for "../" so ".." at the end of a path could occur, - // which is fine, unless it is also at the beginning... - if (path.equals("..")) { - path = null; - } - // Last ensure path does not end in a '/' - if (path.endsWith("/")) { - path = path.substring(0, path.length()-1); - } - } - return path; - } + // Remove leading '/' chars + while ((path.length() > 0) && (path.charAt(0) == '/')) { + path = path.substring(1); + } + // We check for "../" so ".." at the end of a path could occur, + // which is fine, unless it is also at the beginning... + if (path.equals("..")) { + path = null; + } + + // Last ensure path does not end in a '/' + if (path != null && path.endsWith("/")) { + path = path.substring(0, path.length() - 1); + } + } + return path; + } /** *

This method may be used to clean up any temporary resources. It