Merge pull request #15 from jasperroel/master

Bugfix for <Path /> traversal in Web Optimization module
alkacon · Jan 25, 2013 · bb07630 · bb07630
2 parents 2287748 + b14a689
commit bb07630
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/....opencms.weboptimization/src/com/alkacon/opencms/weboptimization/CmsOptimizationBean.java b/....opencms.weboptimization/src/com/alkacon/opencms/weboptimization/CmsOptimizationBean.java
@@ -60,6 +60,7 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.jsp.PageContext;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 
 /**
@@ -483,9 +484,16 @@ protected Locale resolveLocale(CmsObject cms, CmsXmlContent xml) {
      */
     protected List<CmsResource> resolveResource(CmsObject cms, String path, String ext) throws CmsException {
 
+        List<CmsResource> resorces = new ArrayList<CmsResource>();
+
+        // An empty path is most probably a bug/unintentionally included. Ignoring it.
+        if (StringUtils.isBlank(path)) {
+            LOG.warn(Messages.get().getBundle().key(Messages.LOG_WARN_RESOLVE_EMPTY_PATH_1, cms.getRequestContext().getUri()));
+            return resorces;
+        }
+
         CmsResource res = cms.readResource(path);
 
-        List<CmsResource> resorces = new ArrayList<CmsResource>();
         if (res.isFolder()) {
             // if folder, get all files with the given extension in the folder
             List<CmsResource> files = cms.readResources(path, CmsResourceFilter.DEFAULT_FILES);

diff --git a/com.alkacon.opencms.weboptimization/src/com/alkacon/opencms/weboptimization/Messages.java b/com.alkacon.opencms.weboptimization/src/com/alkacon/opencms/weboptimization/Messages.java
@@ -49,6 +49,9 @@ public final class Messages extends A_CmsMessageBundle {
     /** Message constant for key in the resource bundle. */
     public static final String LOG_WARN_NOTHING_TO_PROCESS_1 = "LOG_WARN_NOTHING_TO_PROCESS_1";
 
+    /** Message constant for key in the resource bundle. */
+    public static final String LOG_WARN_RESOLVE_EMPTY_PATH_1 = "LOG_WARN_RESOLVE_EMPTY_PATH_1";
+
     /** Name of the used resource bundle. */
     private static final String BUNDLE_NAME = "com.alkacon.opencms.weboptimization.messages";
 

diff --git a/...kacon.opencms.weboptimization/src/com/alkacon/opencms/weboptimization/messages.properties b/...kacon.opencms.weboptimization/src/com/alkacon/opencms/weboptimization/messages.properties
@@ -1,2 +1,3 @@
 LOG_WARN_NOTHING_TO_PROCESS_1			= Nothing to process for entry {0}
-ERR_NOT_SUPPORTED_RESOURCE_TYPE_2		= Not supported resource type {1} of given resource {0}
+ERR_NOT_SUPPORTED_RESOURCE_TYPE_2		= Not supported resource type {1} of given resource {0}
+LOG_WARN_RESOLVE_EMPTY_PATH_1           =Tried to include an empty path while optimizing {0}. Ignoring entry.