From 069c6d0dcfdf06660a7984d12bc3afb07d272373 Mon Sep 17 00:00:00 2001 From: alee Date: Fri, 10 Apr 2009 18:48:56 +0000 Subject: Bugzilla Bug #223353 - Values entered through web ui are not checked/escaped git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@381 c9f7a03b-bd48-0410-a16d-cbbf54688b0b --- .../netscape/cms/profile/def/EnrollDefault.java | 25 ++++++++++++++++ .../def/nsTokenUserKeySubjectNameDefault.java | 4 +-- .../com/netscape/cms/servlet/base/CMSServlet.java | 25 ++++++++++++++++ .../com/netscape/cms/servlet/cert/SrchCerts.java | 29 ++----------------- .../netscape/cms/servlet/common/CMSTemplate.java | 3 +- .../cms/servlet/profile/ProfileServlet.java | 3 +- .../cms/servlet/profile/ProfileSubmitServlet.java | 16 ++++++++--- pki/base/tps/src/modules/tokendb/mod_tokendb.cpp | 33 +++++++++++++++++++++- .../security/x509/LdapV3DNStrConverter.java | 6 +++- pki/dogtag/ca-ui/dogtag-pki-ca-ui.spec | 4 ++- .../webapps/ca/agent/ca/ProfileProcess.template | 13 +++++++-- .../webapps/ca/agent/ca/ProfileReview.template | 12 ++++++-- .../webapps/ca/agent/ca/displayBySerial.template | 10 ++++++- .../shared/webapps/ca/agent/ca/queryReq.template | 9 +++++- .../webapps/ca/agent/ca/reasonToRevoke.template | 9 +++++- .../shared/webapps/ca/agent/ca/srchCert.template | 9 +++++- .../webapps/ca/ee/ca/displayBySerial.template | 9 +++++- .../shared/webapps/ca/ee/ca/queryCert.template | 9 +++++- .../shared/webapps/ca/ee/ca/srchCert.template | 13 +++++++-- pki/dogtag/common/pki-common.spec | 4 ++- pki/dogtag/tps/pki-tps.spec | 4 ++- pki/dogtag/util/pki-util.spec | 4 ++- 22 files changed, 200 insertions(+), 53 deletions(-) diff --git a/pki/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java b/pki/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java index 8b764eb97..098be45dd 100644 --- a/pki/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java +++ b/pki/base/common/src/com/netscape/cms/profile/def/EnrollDefault.java @@ -742,4 +742,29 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe } return p.substitute2("request", attrSet); } + + protected StringBuffer escapeValueRfc1779(String v, boolean doubleEscape) + { + StringBuffer result = new StringBuffer(); + + // Do we need to escape any characters + for (int i = 0; i < v.length(); i++) { + int c = v.charAt(i); + if (c == ',' || c == '=' || c == '+' || c == '<' || + c == '>' || c == '#' || c == ';' || c == '\r' || + c == '\n' || c == '\\' || c == '"') { + result.append('\\'); + if (doubleEscape) result.append('\\'); + } + if (c == '\r') { + result.append("0D"); + } else if (c == '\n') { + result.append("0A"); + } else { + result.append((char)c); + } + } + return result; + } + } diff --git a/pki/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java b/pki/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java index ca33ca6e1..a53b98fa3 100644 --- a/pki/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java +++ b/pki/base/common/src/com/netscape/cms/profile/def/nsTokenUserKeySubjectNameDefault.java @@ -415,8 +415,8 @@ ldapInit(); if (la != null) { String[] sla = la.getStringValueArray(); CMS.debug("nsTokenUserKeySubjectNameDefault: getSubjectName(): got attribute: "+mLdapStringAttrs[i]+ - "=" +sla[0]); - request.setExtData(mLdapStringAttrs[i], sla[0]); + "=" + escapeValueRfc1779(sla[0], false).toString()); + request.setExtData(mLdapStringAttrs[i], escapeValueRfc1779(sla[0], false).toString()); } } //cfu diff --git a/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java b/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java index 1f1daec25..dceb44239 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java @@ -2122,5 +2122,30 @@ public abstract class CMSServlet extends HttpServlet { CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", "", ee.toString())); } } + + protected StringBuffer escapeValueRfc1779(String v, boolean doubleEscape) + { + StringBuffer result = new StringBuffer(); + + // Do we need to escape any characters + for (int i = 0; i < v.length(); i++) { + int c = v.charAt(i); + if (c == ',' || c == '=' || c == '+' || c == '<' || + c == '>' || c == '#' || c == ';' || c == '\r' || + c == '\n' || c == '\\' || c == '"') { + result.append('\\'); + if (doubleEscape) result.append('\\'); + } + if (c == '\r') { + result.append("0D"); + } else if (c == '\n') { + result.append("0A"); + } else { + result.append((char)c); + } + } + return result; + } + } diff --git a/pki/base/common/src/com/netscape/cms/servlet/cert/SrchCerts.java b/pki/base/common/src/com/netscape/cms/servlet/cert/SrchCerts.java index cd51dd659..409a12754 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/cert/SrchCerts.java +++ b/pki/base/common/src/com/netscape/cms/servlet/cert/SrchCerts.java @@ -195,29 +195,6 @@ public class SrchCerts extends CMSServlet { } } - private StringBuffer escapeValueRfc1779(String v) - { - StringBuffer result = new StringBuffer(); - - // Do we need to escape any characters - for (int i = 0; i < v.length(); i++) { - int c = v.charAt(i); - if (c == ',' || c == '=' || c == '+' || c == '<' || - c == '>' || c == '#' || c == ';' || c == '\r' || - c == '\n' || c == '\\' || c == '"') { - result.append('\\'); - } - if (c == '\r') { - result.append("0D"); - } else if (c == '\n') { - result.append("0A"); - } else { - result.append((char)c); - } - } - return result; - } - private void buildAVAFilter(HttpServletRequest req, String paramName, String avaName, StringBuffer lf, String match) { @@ -228,12 +205,12 @@ public class SrchCerts extends CMSServlet { lf.append("(x509cert.subject=*"); lf.append(avaName); lf.append("="); - lf.append(escapeValueRfc1779(val)); + lf.append(escapeValueRfc1779(val, true)); lf.append(",*)"); lf.append("(x509cert.subject=*"); lf.append(avaName); lf.append("="); - lf.append(escapeValueRfc1779(val)); + lf.append(escapeValueRfc1779(val, true)); lf.append(")"); lf.append(")"); } else { @@ -241,7 +218,7 @@ public class SrchCerts extends CMSServlet { lf.append(avaName); lf.append("="); lf.append("*"); - lf.append(escapeValueRfc1779(val)); + lf.append(escapeValueRfc1779(val, true)); lf.append("*)"); } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/common/CMSTemplate.java b/pki/base/common/src/com/netscape/cms/servlet/common/CMSTemplate.java index 8d6166dbd..947ba42a9 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/common/CMSTemplate.java +++ b/pki/base/common/src/com/netscape/cms/servlet/common/CMSTemplate.java @@ -372,7 +372,7 @@ public class CMSTemplate extends CMSFile { for (int i = 0; i < l; i++) { char c = in[i]; - if (c > 0x23) { + if ((c > 0x23) && (c!= 0x5c)) { out[j++] = c; continue; } @@ -407,6 +407,7 @@ public class CMSTemplate extends CMSFile { out[j++] = c; } } + String ret = new String(out,0,j); return new String(out, 0, j); } diff --git a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java index ff4c8d7bf..3c13eda56 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java @@ -328,7 +328,8 @@ public class ProfileServlet extends CMSServlet { for (int i = 0; i < l; i++) { char c = in[i]; - if (c > 0x23) { + /* presumably this gives better performance */ + if ((c > 0x23) && (c != 0x5c)) { out[j++] = c; continue; } diff --git a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java index 894ecd49d..6a5263fcf 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java @@ -107,9 +107,13 @@ public class ProfileSubmitServlet extends ProfileServlet { while (inputNames.hasMoreElements()) { String inputName = (String) inputNames.nextElement(); - if (request.getParameter(inputName) != null) { - ctx.set(inputName, request.getParameter(inputName)); + // all subject name parameters start with sn_, no other input parameters do + if (inputName.matches("^sn_.*")) { + ctx.set(inputName, escapeValueRfc1779(request.getParameter(inputName), false).toString()); + } else { + ctx.set(inputName, request.getParameter(inputName)); + } } } } @@ -306,7 +310,12 @@ public class ProfileSubmitServlet extends ProfileServlet { String inputName = (String) inputNames.nextElement(); if (request.getParameter(inputName) != null) { - req.setExtData(inputName, request.getParameter(inputName)); + // special characters in subject names parameters must be escaped + if (inputName.matches("^sn_.*")) { + req.setExtData(inputName, escapeValueRfc1779(request.getParameter(inputName), false).toString()); + } else { + req.setExtData(inputName, request.getParameter(inputName)); + } } } } @@ -351,7 +360,6 @@ public class ProfileSubmitServlet extends ProfileServlet { } - private void setOutputIntoArgs(IProfile profile, ArgList outputlist, Locale locale, IRequest req) { Enumeration outputIds = profile.getProfileOutputIds(); diff --git a/pki/base/tps/src/modules/tokendb/mod_tokendb.cpp b/pki/base/tps/src/modules/tokendb/mod_tokendb.cpp index 8ac1fa8db..aa5487948 100644 --- a/pki/base/tps/src/modules/tokendb/mod_tokendb.cpp +++ b/pki/base/tps/src/modules/tokendb/mod_tokendb.cpp @@ -547,6 +547,32 @@ char *getData( char *fileName, char *injection ) return buf; } +/** + * returns string with special characters escaped. Caller must free the contents + */ +char *escapeSpecialChars(char* src) +{ + char *ret; + int i =0; + + if (PL_strlen(src) == 0) { + return PL_strdup(src); + } + ret = (char *)PR_Malloc(PL_strlen(src) * 2 + 1); + + while (*src != '\0') { + if (*src == '"') { + ret[i++] = '\\'; + ret[i++] = '"'; + } else { + ret[i++] = *src; + } + src++; + } + ret[i]='\0'; + return ret; +} + void getCertificateFilter( char *filter, char *query ) { @@ -4119,7 +4145,12 @@ mod_tokendb_handler( request_rec *rq ) PL_strcat( injection, "\"" ); } - PL_strcat( injection, vals[i] ); + // make sure to escape any special characters + char *escaped = escapeSpecialChars(vals[i]); + PL_strcat( injection, escaped ); + if (escaped != NULL) { + PL_strfree(escaped); + } } if( i > v_start ) { diff --git a/pki/base/util/src/netscape/security/x509/LdapV3DNStrConverter.java b/pki/base/util/src/netscape/security/x509/LdapV3DNStrConverter.java index 68deca82f..e75947a8d 100644 --- a/pki/base/util/src/netscape/security/x509/LdapV3DNStrConverter.java +++ b/pki/base/util/src/netscape/security/x509/LdapV3DNStrConverter.java @@ -758,7 +758,11 @@ public class LdapV3DNStrConverter extends LdapDNStrConverter if (specialChars.indexOf(valueStr.charAt(i)) != -1) { retval.append('\\'); retval.append(valueStr.charAt(i)); - } + } else + if (valueStr.charAt(i) == '"') { + retval.append('\\'); + retval.append(valueStr.charAt(i)); + } else retval.append(valueStr.charAt(i)); } diff --git a/pki/dogtag/ca-ui/dogtag-pki-ca-ui.spec b/pki/dogtag/ca-ui/dogtag-pki-ca-ui.spec index 0b28556c4..c73a62422 100644 --- a/pki/dogtag/ca-ui/dogtag-pki-ca-ui.spec +++ b/pki/dogtag/ca-ui/dogtag-pki-ca-ui.spec @@ -34,7 +34,7 @@ ## Package Header Definitions %define base_name %{base_ui_prefix}-%{base_prefix}-%{base_component} %define base_version 1.1.0 -%define base_release 1 +%define base_release 2 %define base_group System Environment/Base %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -222,6 +222,8 @@ rm -rf ${RPM_BUILD_ROOT} ############################################################################### %changelog +* Fri Apr 10 2009 Ade Lee 1.1.0-2 +- Bugzilla Bug #223353 - Values entered through web ui are not checked/escaped * Sat Apr 4 2009 Matthew Harmsen 1.1.0-1 - Version update to Dogtag 1.1.0. * Tue Mar 31 2009 Andrew Wnuk 1.0.0-13 diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/ProfileProcess.template b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/ProfileProcess.template index baedde6a3..5d9c5a051 100644 --- a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/ProfileProcess.template +++ b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/ProfileProcess.template @@ -18,7 +18,15 @@ + @@ -105,7 +113,7 @@ Certificate contents
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/queryReq.template b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/queryReq.template index 1bee88abe..44756803a 100644 --- a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/queryReq.template +++ b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/queryReq.template @@ -164,6 +164,13 @@ function addSpaces(str) return outStr; } +function addEscapes(str) +{ + var outStr = str.replace(//g, ">"); + return outStr; +} + function renderDetailsButtonForProfile(serialNumber) { return '
\n"+ "
\n"+ link+ - addSpaces(req.subject) + "
\n"); + addSpaces(addEscapes(req.subject)) + "\n"); } else { document.write("\n"); } diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/reasonToRevoke.template b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/reasonToRevoke.template index 2b8b0334e..c935aa114 100644 --- a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/reasonToRevoke.template +++ b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/reasonToRevoke.template @@ -161,6 +161,13 @@ function addSpaces(str) return outStr; } +function addEscapes(str) +{ + var outStr = str.replace(//g, ">"); + return outStr; +} + function displayCertInfo() { document.write(""); @@ -180,7 +187,7 @@ function displayCertInfo() } if (result.recordSet[i].subject != null) { document.write(renderRow("Subject Name:", - addSpaces(result.recordSet[i].subject))); + addSpaces(addEscapes(result.recordSet[i].subject)))); } if ((result.recordSet[i].validNotBefore != null) && (result.recordSet[i].validNotAfter != null)) { diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/srchCert.template b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/srchCert.template index 1a33355c7..335757f1e 100644 --- a/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/srchCert.template +++ b/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/srchCert.template @@ -162,6 +162,13 @@ function addSpaces(str) return outStr; } +function addEscapes(str) +{ + var outStr = str.replace(//g, ">"); + return outStr; +} + function getRevocationReason(revocationReason) { var reasons = new Array("Unspecified", @@ -189,7 +196,7 @@ function displayCertificateRecord(cert) "\n"+ "\n"+ +addSpaces(addEscapes(cert.subject)) +"\n"+ "
\n"+ ""+renderHexNumber(cert.serialNumber,8) +"\n"+ -addSpaces(cert.subject) +"
\n"+ "\n"+ diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/displayBySerial.template b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/displayBySerial.template index ca886b4cf..e01e4e123 100644 --- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/displayBySerial.template +++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/displayBySerial.template @@ -33,6 +33,13 @@ function navMajorVersion() return parseInt(navigator.appVersion.substring(0, navigator.appVersion.indexOf("."))); } +function addEscapes(str) +{ + var outStr = str.replace(//g, ">"); + return outStr; +} + function toHex(number) { var absValue = "", sign = ""; @@ -80,7 +87,7 @@ Certificate contents
diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.template b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.template index 5bcc37aed..9dd361ec0 100644 --- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.template +++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/queryCert.template @@ -91,6 +91,13 @@ function toHex(number) return sign + absValue; } +function addEscapes(str) +{ + var outStr = str.replace(//g, ">"); + return outStr; +} + function revokeCert(serialNumber) { return confirm("WARNING!! You are about to do an irreversible operation.\nDo you really want to revoke certificate # "+ @@ -291,7 +298,7 @@ function displayCertificateRecord(i, cert) " "+ - cert.subject+""+ + addEscapes(cert.subject)+""+ ""+ "\n" diff --git a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/srchCert.template b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/srchCert.template index a7e3f6522..3e7a1059b 100644 --- a/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/srchCert.template +++ b/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/srchCert.template @@ -126,8 +126,8 @@ function renderDateFromSecs(secs) year %= 100; year += 2000; } - return (dateTmp.getMonth()+1)+"/"+dateTmp.getDate()+"/"+year+" "+ - (dateTmp.getHours()<10?" ":"")+ + return (dateTmp.getMonth()+1)+"/"+dateTmp.getDate()+"/"+year+" "+ + (dateTmp.getHours()<10?" ":"")+ dateTmp.getHours()+":"+(dateTmp.getMinutes()<10?"0":"")+ dateTmp.getMinutes()+":"+(dateTmp.getSeconds()<10?"0":"")+ dateTmp.getSeconds(); @@ -179,6 +179,13 @@ function addSpaces(str) return outStr; } +function addEscapes(str) +{ + var outStr = str.replace(//g, ">"); + return outStr; +} + function getRevocationReason(revocationReason) { var reasons = new Array("Unspecified", @@ -304,7 +311,7 @@ function displayCertificateRecord(i, cert) " "+ - cert.subject+""+ + addEscapes(cert.subject)+""+ ""+ "\n" diff --git a/pki/dogtag/common/pki-common.spec b/pki/dogtag/common/pki-common.spec index 35a5d7b5f..98c91b29f 100644 --- a/pki/dogtag/common/pki-common.spec +++ b/pki/dogtag/common/pki-common.spec @@ -34,7 +34,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.1.0 -%define base_release 2 +%define base_release 3 %define base_group System Environment/Base %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -285,6 +285,8 @@ chmod 00755 %{_datadir}/%{base_prefix}/setup/postinstall ############################################################################### %changelog +* Fri Apr 10 2009 Ade Lee 1.1.0-3 +- Bugzilla Bug #223353 - Values entered through web ui are not checked/escaped * Tue Apr 7 2009 Andrew Wnuk 1.1.0-2 - Bugzilla Bug #493758 - policy editor corrupts profile * Sat Apr 4 2009 Matthew Harmsen 1.1.0-1 diff --git a/pki/dogtag/tps/pki-tps.spec b/pki/dogtag/tps/pki-tps.spec index 3a3b8ab5d..e5b642961 100644 --- a/pki/dogtag/tps/pki-tps.spec +++ b/pki/dogtag/tps/pki-tps.spec @@ -34,7 +34,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.1.0 -%define base_release 1 +%define base_release 2 %define base_group System Environment/Daemons %define base_vendor Red Hat, Inc. %define base_license LGPLv2 with exceptions @@ -313,6 +313,8 @@ fi ############################################################################### %changelog +* Fri Apr 10 2009 Ade Lee 1.1.0-2 +- Bugzilla Bug #223353 - Values entered through web ui are not checked/escaped * Sat Apr 4 2009 Matthew Harmsen 1.1.0-1 - Version update to Dogtag 1.1.0. * Tue Mar 31 2009 Christina Fu 1.0.0-45 diff --git a/pki/dogtag/util/pki-util.spec b/pki/dogtag/util/pki-util.spec index 8352020f4..9cc27cee2 100644 --- a/pki/dogtag/util/pki-util.spec +++ b/pki/dogtag/util/pki-util.spec @@ -33,7 +33,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.1.0 -%define base_release 1 +%define base_release 2 %define base_group System Environment/Base %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -270,6 +270,8 @@ rm -rf ${RPM_BUILD_ROOT} ############################################################################### %changelog +* Fri Apr 10 2009 Ade Lee 1.1.0-2 +- Bugzilla Bug #223353 - Values entered through web ui are not checked/escaped * Sat Apr 4 2009 Matthew Harmsen 1.1.0-1 - Version update to Dogtag 1.1.0. * Thu Mar 26 2009 Andrew Wnuk 1.0.0-13 -- cgit