Bugzilla Bug #223353 - Values entered through web ui are not checked/escaped

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@381 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
author: alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2009-04-10 18:48:56 +0000
committer: alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2009-04-10 18:48:56 +0000
commit: 069c6d0dcfdf06660a7984d12bc3afb07d272373 (patch)
tree: cf03ad5632bcf14085d983784060898ce5091917 /pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
parent: 3ea60be8a53cbe26857bb0843368c7f4b38ffb36 (diff)
download: pki-069c6d0dcfdf06660a7984d12bc3afb07d272373.tar.gz
pki-069c6d0dcfdf06660a7984d12bc3afb07d272373.tar.xz
pki-069c6d0dcfdf06660a7984d12bc3afb07d272373.zip
1 files changed, 12 insertions, 4 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
index 894ecd49d..6a5263fcf 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
@@ -107,9 +107,13 @@ public class ProfileSubmitServlet extends ProfileServlet {
 
                 while (inputNames.hasMoreElements()) {
                     String inputName = (String) inputNames.nextElement();
-
                     if (request.getParameter(inputName) != null) {
-                        ctx.set(inputName, request.getParameter(inputName));
+                        // all subject name parameters start with sn_, no other input parameters do
+                        if (inputName.matches("^sn_.*")) {
+                            ctx.set(inputName, escapeValueRfc1779(request.getParameter(inputName), false).toString());
+                        } else {
+                            ctx.set(inputName, request.getParameter(inputName));
+                        }
                     }
                 }
             }
@@ -306,7 +310,12 @@ public class ProfileSubmitServlet extends ProfileServlet {
                         String inputName = (String) inputNames.nextElement();
 
                         if (request.getParameter(inputName) != null) {
-                            req.setExtData(inputName, request.getParameter(inputName));
+                            // special characters in subject names parameters must be escaped
+                            if (inputName.matches("^sn_.*")) {
+                                req.setExtData(inputName, escapeValueRfc1779(request.getParameter(inputName), false).toString());
+                            } else {
+                                req.setExtData(inputName, request.getParameter(inputName));
+                            }
                         }
                     }
                 }
@@ -351,7 +360,6 @@ public class ProfileSubmitServlet extends ProfileServlet {
 
     }
 
-
     private void setOutputIntoArgs(IProfile profile, ArgList outputlist, Locale locale, IRequest req) {
         Enumeration outputIds = profile.getProfileOutputIds();
author	alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2009-04-10 18:48:56 +0000
committer	alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2009-04-10 18:48:56 +0000
commit	069c6d0dcfdf06660a7984d12bc3afb07d272373 (patch)
tree	cf03ad5632bcf14085d983784060898ce5091917 /pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
parent	3ea60be8a53cbe26857bb0843368c7f4b38ffb36 (diff)
download	pki-069c6d0dcfdf06660a7984d12bc3afb07d272373.tar.gz pki-069c6d0dcfdf06660a7984d12bc3afb07d272373.tar.xz pki-069c6d0dcfdf06660a7984d12bc3afb07d272373.zip