Changeset 7217

Timestamp:

Oct 31, 2016, 1:34:10 PM (6 years ago)

Author:

Nicklas Nordborg

Message:

Fixes #2038: Taglibs in web client may leak information

Fixed the issue in Page taglib by making sure that variables are reset in the setPageContext method. Also added tag attribute sc for setting a session control on the page so that the taglib doesn't have to find out by inspecting the URL.

Also found similar issues with some variables in other taglibs that should be reset before used.

Location:

trunk

Files:

• src/clients/web/net/sf/basedb/clients/web/taglib/Head.java (modified) (1 diff)
• src/clients/web/net/sf/basedb/clients/web/taglib/Icon.java (modified) (2 diffs)
• src/clients/web/net/sf/basedb/clients/web/taglib/Page.java (modified) (4 diffs)
• src/clients/web/net/sf/basedb/clients/web/taglib/tab/Tab.java (modified) (2 diffs)
• src/clients/web/net/sf/basedb/clients/web/taglib/tab/TabControl.java (modified) (1 diff)
• src/clients/web/net/sf/basedb/clients/web/taglib/table/Table.java (modified) (2 diffs)
• src/clients/web/net/sf/basedb/clients/web/taglib/table/Toolbar.java (modified) (2 diffs)
• src/core/net/sf/basedb/core/Application.java (modified) (1 diff)
• www/WEB-INF/base.tld (modified) (1 diff)

trunk/src/clients/web/net/sf/basedb/clients/web/taglib/Head.java

@@ -239 +239 @@
   private void appendScripts(StringBuilder sb, JspContext jspContext)
   {
-    SessionControl sc = page.getSessionControl();
     LinkedHashSet<String> allScripts = new LinkedHashSet<String>();
 

trunk/src/clients/web/net/sf/basedb/clients/web/taglib/Icon.java

@@ -165 +165 @@
   private boolean enabled = true;
   
-  private boolean setEnabledIsCalled = false;
-
   private int tabIndex;
   
@@ -198 +196 @@
   {
     this.enabled = enabled;
-    this.setEnabledIsCalled = true;
   }
   public boolean isEnabled()

trunk/src/clients/web/net/sf/basedb/clients/web/taglib/Page.java

@@ -218 +218 @@
   */
   private transient SessionControl sc;
+  // TRUE if 'sc' has been set (including to null) in this page request
+  private transient boolean scHasBeenSet;
   
   private transient JspContext skinContext;
@@ -284 +286 @@
   }
   
+  /**
+    Set the session control to use in this request.
+    @since 3.10
+  */
+  public void setSc(SessionControl sc)
+  {
+    this.scHasBeenSet = true;
+    this.sc = sc;
+  }
+  
+  public SessionControl getSessionControl()
+  {
+    if (!scHasBeenSet && sc == null)
+    {
+      // Try to autoamtically get a session control
+      try
+      {
+        scHasBeenSet = true;
+        sc = Application.isRunning() ? Base.getSessionControl(pageContext.getRequest(), null, false) : null;
+      }
+      catch (RuntimeException ex)
+      {}
+    }
+    return sc;
+  }
+  
   public void setType(String type)
   {
@@ -352 +380 @@
   {
     return BASE_VERSION;
-  }
-  public SessionControl getSessionControl()
-  {
-    return sc;
   }
 
@@ -382 +406 @@
   {
     super.setPageContext(pageContext);
+    // Reset variables that may exists since previous requests
     favicon = null;
+    sc = null;
+    skinActions = null;
+    skinContext = null;
+    scHasBeenSet = false;
     if (!initialized) initStaticFields(pageContext);
-    try
-    {
-      sc = Application.isRunning() ? Base.getSessionControl(pageContext, false) : null;
-    }
-    catch (RuntimeException ex)
-    {}
   }
 

trunk/src/clients/web/net/sf/basedb/clients/web/taglib/tab/Tab.java

@@ -29 +29 @@
 import javax.servlet.jsp.JspException;
 import javax.servlet.jsp.JspTagException;
+import javax.servlet.jsp.PageContext;
 import javax.servlet.jsp.tagext.BodyTagSupport;
 import javax.servlet.jsp.tagext.DynamicAttributes;
@@ -288 +289 @@
     return dynamicAttributes == null ? null : dynamicAttributes.values().iterator();
   }
+  
+  /**
+    Reset the dynamic attributes to make sure old ones are not
+    included in case the tag object is reused.
+    @since 3.10
+  */
+  @Override
+  public void setPageContext(PageContext pageContext) 
+  {
+    dynamicAttributes = null;
+    super.setPageContext(pageContext);
+  }
 
   @Override

trunk/src/clients/web/net/sf/basedb/clients/web/taglib/tab/TabControl.java

@@ -329 +329 @@
     content = new StringBuilder();
     initialTab = null;
+    numTabs = 0;
 
     if (!noTabs)

trunk/src/clients/web/net/sf/basedb/clients/web/taglib/table/Table.java

@@ -385 +385 @@
       }
     }
+    else
+    {
+      sortColumns = null;
+    }
   }
   public String getSortby()
@@ -657 +661 @@
     }
     definedColumns = new HashSet<String>();
+    extensionColumns = null;
 
     hiddenForm = new StringBuilder();

trunk/src/clients/web/net/sf/basedb/clients/web/taglib/table/Toolbar.java

@@ -26 +26 @@
 import javax.servlet.jsp.JspTagException;
 
-import net.sf.basedb.clients.web.Base;
+import net.sf.basedb.clients.web.taglib.Page;
 import net.sf.basedb.clients.web.taglib.StylableTag;
 import net.sf.basedb.util.Values;
@@ -172 +172 @@
   {
     if (!isVisible()) return SKIP_BODY;
-
-    SessionControl sc = null;
+    Page page = (Page)findAncestorWithClass(this, Page.class);
+    
+    SessionControl sc = page != null ? page.getSessionControl() : null;
     StringBuilder sb = new StringBuilder();
 
-    sc = Base.getSessionControl(pageContext, false);
     sb.append("<div");
     addIdAndStyles(sb);

trunk/src/core/net/sf/basedb/core/Application.java

@@ -1032 +1032 @@
       throw new PermissionDeniedException("Invalid remoteId ("+remoteId+"; expected: "+sc.getRemoteId()+")");
     }
-    if (!sc.isAllowedToUseClient(externalClientId))
+    if (externalClientId != null && !sc.isAllowedToUseClient(externalClientId))
     {
       log.warn("getSessionControl: Invalid externalClientId: "+externalClientId+"; expected: "+sc.getExternalClientId());

trunk/www/WEB-INF/base.tld

@@ -66 +66 @@
       <rtexprvalue>true</rtexprvalue>
     </attribute>
+    <attribute>
+      <name>sc</name>
+      <rtexprvalue>true</rtexprvalue>
+    </attribute>
   </tag>