From 03919b6c1e8100ebe0844a67b7925564647e3629 Mon Sep 17 00:00:00 2001 From: "David M. Johnson" Date: Sat, 10 Feb 2024 16:35:35 -0500 Subject: [PATCH] Validate tz (#134) * Validations for things not covered by Struts Validator. --- app/pom.xml | 4 +-- .../business/jpa/JPABookmarkManagerImpl.java | 11 ++++--- .../business/jpa/JPAUserManagerImpl.java | 4 +-- .../apache/roller/weblogger/pojos/User.java | 29 ++++++++++--------- .../weblogger/pojos/WeblogBookmark.java | 17 ++++++----- .../weblogger/pojos/WeblogBookmarkFolder.java | 8 ++--- .../weblogger/ui/struts2/core/Profile.java | 26 ++++++++++++++++- .../ui/struts2/editor/BookmarkEdit.java | 1 - .../resources/ApplicationResources.properties | 2 ++ assembly-release/pom.xml | 2 +- assembly-release/sign-release.sh | 2 +- db-utils/pom.xml | 4 +-- it-selenium/pom.xml | 4 +-- pom.xml | 4 +-- 14 files changed, 73 insertions(+), 45 deletions(-) diff --git a/app/pom.xml b/app/pom.xml index f31f90d4e4..c94a2df3dc 100644 --- a/app/pom.xml +++ b/app/pom.xml @@ -24,7 +24,7 @@ limitations under the License. org.apache.roller roller-project - 6.1.2 + 6.1.3 ../pom.xml @@ -627,7 +627,7 @@ limitations under the License. org.apache.roller db-utils - 6.1.2 + 6.1.3 commons-dbcp diff --git a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java index bde6dc0ea1..5b4224e09c 100644 --- a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java +++ b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java @@ -148,15 +148,14 @@ public void importBookmarks( WeblogBookmarkFolder newFolder = getFolder(website, folderName); if (newFolder == null) { - newFolder = new WeblogBookmarkFolder( - folderName, website); + newFolder = new WeblogBookmarkFolder(folderName, website); this.strategy.store(newFolder); } // Iterate through children of OPML body, importing each Element body = doc.getRootElement().getChild("body"); - for (Object elem : body.getChildren()) { - importOpmlElement((Element) elem, newFolder ); + for (Element elem : body.getChildren()) { + importOpmlElement(elem, newFolder ); } } catch (Exception ex) { throw new WebloggerException(ex); @@ -216,8 +215,8 @@ private void importOpmlElement( } } else { // Import suboutline's children into folder - for (Object subelem : elem.getChildren("outline")) { - importOpmlElement((Element) subelem, folder ); + for (Element subelem : elem.getChildren("outline")) { + importOpmlElement(subelem, folder ); } } } diff --git a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java index 0ccdcb8fb1..d83bac4261 100644 --- a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java +++ b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java @@ -67,8 +67,8 @@ public void release() {} //--------------------------------------------------------------- user CRUD @Override - public void saveUser(User data) throws WebloggerException { - this.strategy.store(data); + public void saveUser(User user) throws WebloggerException { + this.strategy.store(user); } diff --git a/app/src/main/java/org/apache/roller/weblogger/pojos/User.java b/app/src/main/java/org/apache/roller/weblogger/pojos/User.java index 5e62146322..da100e751c 100644 --- a/app/src/main/java/org/apache/roller/weblogger/pojos/User.java +++ b/app/src/main/java/org/apache/roller/weblogger/pojos/User.java @@ -28,6 +28,7 @@ import org.apache.roller.util.UUIDGenerator; import org.apache.roller.weblogger.business.WebloggerFactory; import org.apache.roller.weblogger.ui.core.RollerContext; +import org.apache.roller.weblogger.util.HTMLSanitizer; import org.springframework.security.crypto.password.PasswordEncoder; @@ -36,7 +37,7 @@ */ public class User implements Serializable { - public static final long serialVersionUID = -6354583200913127874L; + private static final long serialVersionUID = -6354583200913127874L; private String id = UUIDGenerator.generateUUID(); private String userName; @@ -60,15 +61,15 @@ public User( String id, String userName, String locale, String timeZone, Date dateCreated, Boolean isEnabled) { - //this.id = id; + this.userName = userName; this.password = password; - this.fullName = fullName; this.emailAddress = emailAddress; this.dateCreated = (Date)dateCreated.clone(); - this.locale = locale; - this.timeZone = timeZone; this.enabled = isEnabled; + setFullName(fullName); + setLocale(locale); + setTimeZone(timeZone); } /** @@ -91,7 +92,7 @@ public String getUserName() { } public void setUserName( String userName ) { - this.userName = userName; + this.userName = HTMLSanitizer.conditionallySanitize(userName); } /** @@ -128,7 +129,7 @@ public String getOpenIdUrl() { } public void setOpenIdUrl(String openIdUrl) { - this.openIdUrl = openIdUrl; + this.openIdUrl = HTMLSanitizer.conditionallySanitize(openIdUrl); } /** @@ -139,7 +140,7 @@ public String getScreenName() { } public void setScreenName( String screenName ) { - this.screenName = screenName; + this.screenName = HTMLSanitizer.conditionallySanitize(screenName); } /** @@ -150,7 +151,7 @@ public String getFullName() { } public void setFullName( String fullName ) { - this.fullName = fullName; + this.fullName = HTMLSanitizer.conditionallySanitize(fullName); } /** @@ -161,7 +162,7 @@ public String getEmailAddress() { } public void setEmailAddress( String emailAddress ) { - this.emailAddress = emailAddress; + this.emailAddress = HTMLSanitizer.conditionallySanitize(emailAddress); } @@ -185,7 +186,7 @@ public void setDateCreated(final Date date) { } /** - * Locale of the user. + * Locale of the user, must be valid Java locale. */ public String getLocale() { return this.locale; @@ -196,7 +197,7 @@ public void setLocale(String locale) { } /** - * Timezone of the user. + * Timezone of the user, must be valid Java timezone. */ public String getTimeZone() { return this.timeZone; @@ -223,7 +224,7 @@ public String getActivationCode() { } public void setActivationCode(String activationCode) { - this.activationCode = activationCode; + this.activationCode = HTMLSanitizer.conditionallySanitize(activationCode); } @@ -239,7 +240,7 @@ public boolean hasGlobalPermissions(List actions) { return false; } } - + //------------------------------------------------------- Good citizenship @Override diff --git a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java index ebb06f9e8d..6c76b22228 100644 --- a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java +++ b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java @@ -18,10 +18,12 @@ package org.apache.roller.weblogger.pojos; -import java.io.Serializable; import org.apache.commons.lang3.builder.EqualsBuilder; import org.apache.commons.lang3.builder.HashCodeBuilder; import org.apache.roller.util.UUIDGenerator; +import org.apache.roller.weblogger.util.HTMLSanitizer; + +import java.io.Serializable; /** @@ -56,16 +58,17 @@ public WeblogBookmark( String url, String feedUrl, String image) { + + setName(name); + setDescription(desc); this.folder = parent; - this.name = name; - this.description = desc; this.url = url; this.feedUrl = feedUrl; this.image = image; folder.addBookmark(this); calculatePriority(); } - + //------------------------------------------------------------- Attributes public String getId() { return this.id; @@ -92,7 +95,7 @@ public String getName() { } public void setName(String name) { - this.name = name; + this.name = HTMLSanitizer.conditionallySanitize(name); } /** @@ -103,7 +106,7 @@ public String getDescription() { } public void setDescription(String description) { - this.description = description; + this.description = HTMLSanitizer.conditionallySanitize(description); } /** @@ -143,7 +146,7 @@ public String getFeedUrl() { public void setFeedUrl(String feedUrl) { this.feedUrl = feedUrl; } - + //---------------------------------------------------------- Relationships public org.apache.roller.weblogger.pojos.WeblogBookmarkFolder getFolder() { diff --git a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java index a4425471ac..60a040aa69 100644 --- a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java +++ b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java @@ -28,6 +28,7 @@ import org.apache.roller.weblogger.business.BookmarkManager; import org.apache.roller.weblogger.business.WebloggerFactory; import org.apache.roller.util.UUIDGenerator; +import org.apache.roller.weblogger.util.HTMLSanitizer; /** @@ -54,8 +55,8 @@ public WeblogBookmarkFolder( String name, Weblog weblog) { - this.name = name; - this.weblog = weblog; + setName(name); + setWeblog(weblog); weblog.addBookmarkFolder(this); } @@ -132,7 +133,7 @@ public String getName() { } public void setName(String name) { - this.name = name; + this.name = HTMLSanitizer.conditionallySanitize(name); } /** @@ -187,5 +188,4 @@ public List retrieveBookmarks() throws WebloggerException { BookmarkManager bmgr = WebloggerFactory.getWeblogger().getBookmarkManager(); return bmgr.getBookmarks(this); } - } diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java index 198ce2b43c..6f83a0ddb6 100644 --- a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java +++ b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java @@ -22,14 +22,18 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.roller.weblogger.WebloggerException; -import org.apache.roller.weblogger.business.WebloggerFactory; import org.apache.roller.weblogger.business.UserManager; +import org.apache.roller.weblogger.business.WebloggerFactory; import org.apache.roller.weblogger.config.AuthMethod; import org.apache.roller.weblogger.config.WebloggerConfig; import org.apache.roller.weblogger.pojos.User; import org.apache.roller.weblogger.ui.struts2.util.UIAction; import org.apache.struts2.interceptor.validation.SkipValidation; +import java.util.Arrays; +import java.util.Locale; +import java.util.Optional; +import java.util.TimeZone; /** * Allows user to edit his/her profile. @@ -150,6 +154,26 @@ public void myValidate() { addError("generic.error.check.logs"); } } + + // validate that bean's timeZone field is a valid time zone + if (!StringUtils.isEmpty(getBean().getTimeZone())) { + // looking up the time zone by id did not work for me + final Optional first = Arrays.stream(TimeZone.getAvailableIDs()) + .filter(id -> id.equals(getBean().getTimeZone())).findFirst(); + if (first.isEmpty()) { + addError("error.add.user.invalid.timezone"); + } + } + + // validate that bean's locale field is a valid locale + if (!StringUtils.isEmpty(getBean().getLocale())) { + // looking up the time zone by id did not work for me + final Optional first = Arrays.stream(Locale.getAvailableLocales()) + .filter(locale -> locale.toString().equals(getBean().getLocale())).findFirst(); + if (first.isEmpty() || "".equals(first.get().getDisplayName())) { + addError("error.add.user.invalid.locale"); + } + } } public String getAuthMethod() { diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java index 9e556504af..ebb068c72b 100644 --- a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java +++ b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java @@ -27,7 +27,6 @@ import org.apache.roller.weblogger.pojos.WeblogBookmark; import org.apache.roller.weblogger.ui.struts2.util.UIAction; import org.apache.roller.weblogger.util.cache.CacheManager; -import org.apache.struts2.convention.annotation.AllowedMethods; import org.apache.struts2.interceptor.validation.SkipValidation; diff --git a/app/src/main/resources/ApplicationResources.properties b/app/src/main/resources/ApplicationResources.properties index d62710630e..b318ff3282 100644 --- a/app/src/main/resources/ApplicationResources.properties +++ b/app/src/main/resources/ApplicationResources.properties @@ -453,6 +453,8 @@ error.add.user.openIdInUse=Open ID already in use with another account. error.add.user.missingUserName=You must specify a username. error.add.user.badUserName=Invalid user name (must be alpha-numerics only). error.add.user.missingPassword=You must specify a password. +error.add.user.invalid.timezone=Invalid timezone. +error.add.user.invalid.locale=Invalid locale. error.upload.dirmax=You cannot exceed the maximum directory size of {0} MB. error.upload.disabled=File Upload has been turned off error.upload.file=No file selected diff --git a/assembly-release/pom.xml b/assembly-release/pom.xml index a2401494b5..e968240aea 100644 --- a/assembly-release/pom.xml +++ b/assembly-release/pom.xml @@ -22,7 +22,7 @@ org.apache.roller roller-project - 6.1.2 + 6.1.3 ../pom.xml diff --git a/assembly-release/sign-release.sh b/assembly-release/sign-release.sh index 09a7bd0150..650ca2c87b 100755 --- a/assembly-release/sign-release.sh +++ b/assembly-release/sign-release.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash export rcstring="r2" -export vstring="6.1.2" +export vstring="6.1.3" # for rc releases we rename the release files if [ rcstring != "" ]; then diff --git a/db-utils/pom.xml b/db-utils/pom.xml index 785b177952..9e6bcdab58 100644 --- a/db-utils/pom.xml +++ b/db-utils/pom.xml @@ -7,13 +7,13 @@ org.apache.roller roller-project - 6.1.2 + 6.1.3 ../pom.xml Apache Roller DB Utilities db-utils - 6.1.2 + 6.1.3 diff --git a/it-selenium/pom.xml b/it-selenium/pom.xml index e8742df1e6..4e603999bb 100644 --- a/it-selenium/pom.xml +++ b/it-selenium/pom.xml @@ -24,7 +24,7 @@ org.apache.roller roller-project - 6.1.2 + 6.1.3 ../pom.xml @@ -188,7 +188,7 @@ org.apache.roller db-utils - 6.1.2 + 6.1.3 commons-dbcp diff --git a/pom.xml b/pom.xml index 0acb7f7a66..41f099cc04 100644 --- a/pom.xml +++ b/pom.xml @@ -22,7 +22,7 @@ limitations under the License. 4.0.0 org.apache.roller roller-project - 6.1.2 + 6.1.3 pom Roller @@ -46,7 +46,7 @@ limitations under the License. 10.0.19 UTF-8 UTF-8 - 6.1.2 + 6.1.3 1.7.36