Changeset 32366

Show
Ignore:
Timestamp:
23.08.2018 13:37:52 (11 months ago)
Author:
kjdon
Message:

instead of blindly copying the paramList into the new pageRequest element going into the page response, look through the paramLIst/param elements - if any have SENSITIVE attribute, remove them from the list. prevent password info being stored in the page response.

Files:
1 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone3/src/java/org/greenstone/gsdl3/core/Receptionist.java

    r30586 r32366  
    1717import org.w3c.dom.Node; 
    1818import org.w3c.dom.NodeList; 
     19import org.w3c.dom.NamedNodeMap; 
    1920 
    2021/** 
     
    273274 
    274275        // the request is part of the page 
    275         page.appendChild(GSXML.duplicateWithNewName(doc, request, GSXML.PAGE_REQUEST_ELEM, true)); 
     276        page.appendChild(duplicateRequest(doc, request)); 
    276277        // add the response too 
    277278        Element page_response = GSXML.duplicateWithNewName(doc, (Element) GSXML.getChildByTagName(action_response, GSXML.RESPONSE_ELEM), GSXML.PAGE_RESPONSE_ELEM, true); 
     
    293294    } 
    294295 
     296  // This is pretty much a straight copy of the Element, with a new top root node name, but also, removing any NOSAVE parameters. 
     297  protected Element duplicateRequest(Document owner, Element request) { 
     298     
     299    Element duplicate; 
     300    duplicate = owner.createElement(GSXML.PAGE_REQUEST_ELEM); 
     301    // Copy element attributes 
     302    NamedNodeMap attributes = request.getAttributes(); 
     303    for (int i = 0; i < attributes.getLength(); i++) 
     304      { 
     305    Node attribute = attributes.item(i); 
     306    duplicate.setAttribute(attribute.getNodeName(), attribute.getNodeValue()); 
     307      } 
     308    // Copy element children 
     309    NodeList children = request.getChildNodes(); 
     310    for (int i = 0; i < children.getLength(); i++) 
     311      { 
     312    Node child = children.item(i); 
     313    if (child.getNodeName().equals(GSXML.PARAM_ELEM + GSXML.LIST_MODIFIER)) { 
     314      Element param_list = (Element)owner.importNode(child, true); 
     315      NodeList params = param_list.getElementsByTagName(GSXML.PARAM_ELEM); 
     316      for (int j=params.getLength()-1; j>=0; j--) { 
     317        Element p = (Element)params.item(j); 
     318        if (!p.getAttribute(GSXML.SENSITIVE_ATT).equals("")) { 
     319          logger.error("removing param "+p.getAttribute("name")); 
     320          param_list.removeChild(p); 
     321        } 
     322      } 
     323        duplicate.appendChild(param_list); 
     324    } else { 
     325      duplicate.appendChild(owner.importNode(child, true)); 
     326    } 
     327      } 
     328       
     329     
     330    return duplicate; 
     331  
     332 
     333  
     334 
     335  } 
    295336    protected boolean setUpBaseInterface(String base_interface) 
    296337    {