Bugzilla Bug #223353 - Values entered through web ui are not checked/escaped

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@381 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

7 files changed, 71 insertions, 34 deletions

diff --git a/pki/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java b/pki/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java
index 8b764eb97..098be45dd 100644
--- a/pki/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java
+++ b/pki/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java
@@ -742,4 +742,29 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe
         }
         return p.substitute2("request", attrSet);
     }
+
+    protected StringBuffer escapeValueRfc1779(String v, boolean doubleEscape)
+    {
+        StringBuffer result = new StringBuffer();
+
+        // Do we need to escape any characters
+        for (int i = 0; i < v.length(); i++) {
+            int c = v.charAt(i);
+            if (c == ',' || c == '=' || c == '+' || c == '<' ||
+                c == '>' || c == '#' || c == ';' || c == '\r' ||
+                c == '\n' || c == '\\' || c == '"') {
+                        result.append('\\');
+                        if (doubleEscape) result.append('\\');
+            }
+            if (c == '\r') {
+                result.append("0D");
+            } else if (c == '\n') {
+                result.append("0A");
+            } else {
+                result.append((char)c);
+            }
+        }
+        return result;
+    }
+ 
 }
diff --git a/pki/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java b/pki/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java
index ca33ca6e1..a53b98fa3 100644
--- a/pki/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java
+++ b/pki/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java
@@ -415,8 +415,8 @@ ldapInit();
                if (la != null) {
                    String[] sla = la.getStringValueArray();
                    CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): got attribute: "+mLdapStringAttrs[i]+
-                       "=" +sla[0]);
-                       request.setExtData(mLdapStringAttrs[i], sla[0]);
+                       "=" + escapeValueRfc1779(sla[0], false).toString());
+                       request.setExtData(mLdapStringAttrs[i], escapeValueRfc1779(sla[0], false).toString());
                }
             }
 //cfu
diff --git a/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java b/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java
index 1f1daec25..dceb44239 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java
@@ -2122,5 +2122,30 @@ public abstract class CMSServlet extends HttpServlet {
                 CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", "", ee.toString()));
         }
     }
+
+    protected StringBuffer escapeValueRfc1779(String v, boolean doubleEscape)
+    {
+        StringBuffer result = new StringBuffer();
+
+        // Do we need to escape any characters
+        for (int i = 0; i < v.length(); i++) {
+            int c = v.charAt(i);
+            if (c == ',' || c == '=' || c == '+' || c == '<' ||
+                c == '>' || c == '#' || c == ';' || c == '\r' ||
+                c == '\n' || c == '\\' || c == '"') {
+                        result.append('\\');
+                        if (doubleEscape) result.append('\\');
+            }
+            if (c == '\r') {
+                result.append("0D");
+            } else if (c == '\n') {
+                result.append("0A");
+            } else {
+                result.append((char)c);
+            }
+        }
+        return result;
+    }
+
 }
 
diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/SrchCerts.java b/pki/base/common/src/com/netscape/cms/servlet/cert/SrchCerts.java
index cd51dd659..409a12754 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/cert/SrchCerts.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/cert/SrchCerts.java
@@ -195,29 +195,6 @@ public class SrchCerts extends CMSServlet {
         }
     }
 
-    private StringBuffer escapeValueRfc1779(String v)
-    {
-        StringBuffer result = new StringBuffer();
-
-        // Do we need to escape any characters
-        for (int i = 0; i < v.length(); i++) {
-            int c = v.charAt(i);
-            if (c == ',' || c == '=' || c == '+' || c == '<' ||
-                c == '>' || c == '#' || c == ';' || c == '\r' ||
-                c == '\n' || c == '\\' || c == '"') {
-                        result.append('\\');
-            }
-            if (c == '\r') {
-                result.append("0D");
-            } else if (c == '\n') {
-                result.append("0A");
-            } else {
-                result.append((char)c);
-            }
-        }
-        return result;
-    }
-
     private void buildAVAFilter(HttpServletRequest req, String paramName, 
                                  String avaName, StringBuffer lf, String match)
     {
@@ -228,12 +205,12 @@ public class SrchCerts extends CMSServlet {
                 lf.append("(x509cert.subject=*");
                 lf.append(avaName);
                 lf.append("=");
-                lf.append(escapeValueRfc1779(val));
+                lf.append(escapeValueRfc1779(val, true));
                 lf.append(",*)");
                 lf.append("(x509cert.subject=*");
                 lf.append(avaName);
                 lf.append("=");
-                lf.append(escapeValueRfc1779(val));
+                lf.append(escapeValueRfc1779(val, true));
                 lf.append(")");
                 lf.append(")");
             } else {
@@ -241,7 +218,7 @@ public class SrchCerts extends CMSServlet {
                 lf.append(avaName);
                 lf.append("=");
                 lf.append("*");
-                lf.append(escapeValueRfc1779(val));
+                lf.append(escapeValueRfc1779(val, true));
                 lf.append("*)");
             }
         }
diff --git a/pki/base/common/src/com/netscape/cms/servlet/common/CMSTemplate.java b/pki/base/common/src/com/netscape/cms/servlet/common/CMSTemplate.java
index 8d6166dbd..947ba42a9 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/common/CMSTemplate.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/common/CMSTemplate.java
@@ -372,7 +372,7 @@ public class CMSTemplate extends CMSFile {
         for (int i = 0; i < l; i++) {
             char c = in[i];
 
-            if (c > 0x23) {
+            if ((c > 0x23) && (c!= 0x5c)) {
                 out[j++] = c;
                 continue;
             }
@@ -407,6 +407,7 @@ public class CMSTemplate extends CMSFile {
                 out[j++] = c;
             }
         }
+        String ret = new String(out,0,j);
         return new String(out, 0, j);
     }
 
diff --git a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java
index ff4c8d7bf..3c13eda56 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java
@@ -328,7 +328,8 @@ public class ProfileServlet extends CMSServlet {
         for (int i = 0; i < l; i++) {
             char c = in[i];
 
-            if (c > 0x23) {
+            /* presumably this gives better performance */
+            if ((c > 0x23) && (c != 0x5c)) {
                 out[j++] = c;
                 continue;
             }
diff --git a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
index 894ecd49d..6a5263fcf 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
@@ -107,9 +107,13 @@ public class ProfileSubmitServlet extends ProfileServlet {
 
                 while (inputNames.hasMoreElements()) {
                     String inputName = (String) inputNames.nextElement();
-
                     if (request.getParameter(inputName) != null) {
-                        ctx.set(inputName, request.getParameter(inputName));
+                        // all subject name parameters start with sn_, no other input parameters do
+                        if (inputName.matches("^sn_.*")) {
+                            ctx.set(inputName, escapeValueRfc1779(request.getParameter(inputName), false).toString());
+                        } else {
+                            ctx.set(inputName, request.getParameter(inputName));
+                        }
                     }
                 }
             }
@@ -306,7 +310,12 @@ public class ProfileSubmitServlet extends ProfileServlet {
                         String inputName = (String) inputNames.nextElement();
 
                         if (request.getParameter(inputName) != null) {
-                            req.setExtData(inputName, request.getParameter(inputName));
+                            // special characters in subject names parameters must be escaped
+                            if (inputName.matches("^sn_.*")) {
+                                req.setExtData(inputName, escapeValueRfc1779(request.getParameter(inputName), false).toString());
+                            } else {
+                                req.setExtData(inputName, request.getParameter(inputName));
+                            }
                         }
                     }
                 }
@@ -351,7 +360,6 @@ public class ProfileSubmitServlet extends ProfileServlet {
 
     }
 
-
     private void setOutputIntoArgs(IProfile profile, ArgList outputlist, Locale locale, IRequest req) {
         Enumeration outputIds = profile.getProfileOutputIds();