diff options
author | Endi Sukma Dewata <edewata@redhat.com> | 2012-03-14 12:51:23 -0500 |
---|---|---|
committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-03-14 14:45:02 -0500 |
commit | 5c613fcb2323cb477ac6d4518a73fc4a810c2b3f (patch) | |
tree | 5e415ef33af90934c82c7d161982290d58de2331 /pki/base/common/src/com | |
parent | 2c960067012c43db1437f561a63fc515328344e2 (diff) | |
download | pki-5c613fcb2323cb477ac6d4518a73fc4a810c2b3f.tar.gz pki-5c613fcb2323cb477ac6d4518a73fc4a810c2b3f.tar.xz pki-5c613fcb2323cb477ac6d4518a73fc4a810c2b3f.zip |
Escape parameter values in search filter.
The REST interface was vulnerable to injection attack. This has
been fixed by escaping the special characters in parameter values
before using them in the search filter.
Ticket #96
Diffstat (limited to 'pki/base/common/src/com')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java | 5 | ||||
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java | 7 |
2 files changed, 7 insertions, 5 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java b/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java index b5032fa86..a7876a6c6 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java +++ b/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java @@ -30,6 +30,7 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.cms.servlet.base.CMSResourceService; import com.netscape.cms.servlet.key.model.KeyDAO; import com.netscape.cms.servlet.key.model.KeyDataInfos; +import com.netscape.cmsutil.ldap.LDAPUtil; /** * @author alee @@ -71,12 +72,12 @@ public class KeysResourceService extends CMSResourceService implements KeysResou } if (status != null) { - filter += "(status=" + status + ")"; + filter += "(status=" + LDAPUtil.escape(status) + ")"; matches ++; } if (clientID != null) { - filter += "(clientID=" + clientID + ")"; + filter += "(clientID=" + LDAPUtil.escape(clientID) + ")"; matches ++; } diff --git a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java index 9b11a96d6..11898ef7a 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java +++ b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java @@ -29,6 +29,7 @@ import com.netscape.certsrv.request.RequestId; import com.netscape.cms.servlet.base.CMSResourceService; import com.netscape.cms.servlet.request.model.KeyRequestDAO; import com.netscape.cms.servlet.request.model.KeyRequestInfos; +import com.netscape.cmsutil.ldap.LDAPUtil; /** * @author alee @@ -77,17 +78,17 @@ public class KeyRequestsResourceService extends CMSResourceService implements Ke } if (requestState != null) { - filter += "(requeststate=" + requestState + ")"; + filter += "(requeststate=" + LDAPUtil.escape(requestState) + ")"; matches ++; } if (requestType != null) { - filter += "(requesttype=" + requestType + ")"; + filter += "(requesttype=" + LDAPUtil.escape(requestType) + ")"; matches ++; } if (clientID != null) { - filter += "(clientID=" + clientID + ")"; + filter += "(clientID=" + LDAPUtil.escape(clientID) + ")"; matches ++; } |