Strabon

changeset 216:16df1bb8cfc0

fixed security exception when StoreBean could be given a file located at the side of the server to store it
author Babis Nikolaou <charnik@di.uoa.gr>
date Thu May 31 19:33:39 2012 +0300 (2012-05-31)
parents ae2cf31b8fe5
children 6503f99b6b54
files endpoint/src/main/java/eu/earthobservatory/org/StrabonEndpoint/StoreBean.java endpoint/src/main/java/eu/earthobservatory/org/StrabonEndpoint/StrabonBeanWrapper.java
line diff
     1.1 --- a/endpoint/src/main/java/eu/earthobservatory/org/StrabonEndpoint/StoreBean.java	Thu May 31 18:54:04 2012 +0300
     1.2 +++ b/endpoint/src/main/java/eu/earthobservatory/org/StrabonEndpoint/StoreBean.java	Thu May 31 19:33:39 2012 +0300
     1.3 @@ -4,6 +4,7 @@
     1.4  package eu.earthobservatory.org.StrabonEndpoint;
     1.5  
     1.6  import java.io.IOException;
     1.7 +import java.net.MalformedURLException;
     1.8  import java.util.ArrayList;
     1.9  
    1.10  import javax.servlet.ServletConfig;
    1.11 @@ -143,7 +144,7 @@
    1.12  			if (browser) {
    1.13  				redirect(response, STORE_ERROR);
    1.14  			} else {
    1.15 -				if (e instanceof RDFParseException) {
    1.16 +				if (e instanceof RDFParseException || e instanceof IllegalArgumentException || e instanceof MalformedURLException) {
    1.17  					response.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE);
    1.18  				} else {
    1.19  					response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
     2.1 --- a/endpoint/src/main/java/eu/earthobservatory/org/StrabonEndpoint/StrabonBeanWrapper.java	Thu May 31 18:54:04 2012 +0300
     2.2 +++ b/endpoint/src/main/java/eu/earthobservatory/org/StrabonEndpoint/StrabonBeanWrapper.java	Thu May 31 19:33:39 2012 +0300
     2.3 @@ -23,6 +23,8 @@
     2.4  public class StrabonBeanWrapper implements org.springframework.beans.factory.DisposableBean {
     2.5  	private static Logger logger = LoggerFactory.getLogger(eu.earthobservatory.org.StrabonEndpoint.StrabonBeanWrapper.class);
     2.6  	
     2.7 +	private static final String FILE_PROTOCOL = "file";
     2.8 +	
     2.9  	public class Entry {
    2.10  		private String label;
    2.11  		private String bean;
    2.12 @@ -264,7 +266,12 @@
    2.13  		try {
    2.14  			// store data
    2.15  			if (url) {
    2.16 -				conn.add(new URL(source_data), "", format, new Resource[1]);
    2.17 +				URL source = new URL(source_data);
    2.18 +				if (source.getProtocol().equalsIgnoreCase(FILE_PROTOCOL)) {
    2.19 +					// it would be a security issue if we read from the server's filesystem
    2.20 +					throw new IllegalArgumentException("The protocol of the URL should be one of http or ftp.");
    2.21 +				} 
    2.22 +				conn.add(source, "", format, new Resource[1]);
    2.23  
    2.24  			} else {
    2.25  				conn.add(new StringReader(source_data), "", format, new Resource[1]);