Merge pull request #5 from NOAA-PMEL/master

noaaroland · web-flow · commit f8fccc0f3e6c · 2018-09-05T11:50:32.000-07:00
Get upstream changes including request filter.
diff --git a/JavaSource/gov/noaa/pmel/tmap/las/filter/RequestInputFilter.java b/JavaSource/gov/noaa/pmel/tmap/las/filter/RequestInputFilter.java
@@ -186,6 +186,11 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
             	response.sendError(HttpServletResponse.SC_NOT_FOUND, "Request contains an illegal query parameter.");
             	return;
             }
+            if ( !validateTemplates(request) ) {
+				LASAction.logerror(request, "Illegal request parameter value.", "Request contains a parameter value that is not allowed.");
+				response.sendError(HttpServletResponse.SC_NOT_FOUND, "Request contains an illegal query parameter value.");
+				return;
+			}
             if ( ! validBooleanValues(request) ) {
             	LASAction.logerror(request, "Illegal request parameter value.", "Request contains a parameter value that is not allowed.");
             	response.sendError(HttpServletResponse.SC_NOT_FOUND, "Request contains an illegal boolean query parameter value.");
@@ -254,6 +259,18 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
 		    filterChain.doFilter( servletRequest, servletResponse );
 		    return;
 	}
+	public boolean validateTemplates(HttpServletRequest request) {
+		String value[] = request.getParameterValues("template");
+		if ( value != null ) {
+            for (int i = 0; i < value.length; i++) {
+                String v = value[i];
+                if (v.toLowerCase().contains(">") || v.toLowerCase().contains("<") || v.toLowerCase().contains("script")) {
+                    return false;
+                }
+            }
+        }
+		return true;
+	}
 	public void init(FilterConfig arg0) throws ServletException {
 		
 	}
diff --git a/WebContent/output/placeholder.txt b/WebContent/output/placeholder.txt
@@ -0,0 +1,2 @@
+Keep me or remove me from the deployed location, it doesn't matter.
+But keep me in $LAS_HOME so the war file includes me.
diff --git a/configure.pl b/configure.pl
@@ -726,7 +726,10 @@
 
     print "Building addXML and the servlet war file.\n";
     system("ant addxml-build; ant deploy");
-
+    if ($? != 0) {
+        print "Build failed!\n";
+        exit 1;
+    }
     print "\n\n";
 
     createScripts();

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Keep me or remove me from the deployed location, it doesn't matter.`
	`2`	`+But keep me in $LAS_HOME so the war file includes me.`