Changeset 33619
- Timestamp:
- 2019-11-04T11:36:56+13:00 (4 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
main/trunk/greenstone3/src/java/org/greenstone/gsdl3/core/URLFilter.java
r33406 r33619 49 49 protected static final String USERS_DB_URL = "etc/usersDB/.*"; 50 50 protected static final ArrayList<String> _restrictedURLs; 51 51 52 static 52 53 { … … 56 57 _restrictedURLs = restrictedURLs; 57 58 } 58 59 59 60 //Constants 60 61 protected static final String DOCUMENT_PATH = "document"; … … 65 66 protected static final String BROWSE_PATH = "browse"; 66 67 protected static final String SEARCH_PATH = "search"; 67 68 protected static final ArrayList<String> _keywords; 69 70 static 71 { 72 ArrayList<String> keywords = new ArrayList<String>(); 73 keywords.add(PAGE_PATH); 74 keywords.add(BROWSE_PATH); 75 keywords.add(SEARCH_PATH); 76 keywords.add(DOCUMENT_PATH); 77 _keywords = keywords; 78 } 79 68 80 protected static final String METADATA_RETRIEVAL_SERVICE = "DocumentMetadataRetrieve"; 69 81 protected static final String ASSOCIATED_FILE_PATH = "/index/assoc/"; … … 116 128 return; 117 129 } 118 130 119 131 // Run security checks on files requested from a collection's index/assoc folder 120 132 if (url.contains(ASSOCIATED_FILE_PATH)) { … … 128 140 return; 129 141 } 142 143 // 144 if (url.contains(SITES_PATH)) { 145 // there are some site/collection images that are not associated files. 146 // these dont need to be security checked, but we need to remove the library name from the url if its there 147 String context_path = context.getContextPath(); 148 String regex = context_path+"/.+"+SITES_PATH+".*"; 149 if (url.matches(regex)) { 150 // a forward doesn't want the context path 151 String new_url = url.substring(url.indexOf(SITES_PATH)); 152 request.getRequestDispatcher(new_url).forward(request, response); 153 return; 154 } 155 // else if it doesn't match, ie the url was /greenstone3/sites/... 156 // we don't do anything and just let it continue 157 } 158 159 130 160 131 161 // if we are asking for an interface file, and it doesn't exist, then … … 154 184 else 155 185 { 156 ArrayList<String> keywords = new ArrayList<String>();157 keywords.add(PAGE_PATH);158 keywords.add(BROWSE_PATH);159 keywords.add(SEARCH_PATH);160 keywords.add(DOCUMENT_PATH);161 186 //If we have a jsessionid on the end of our URL we want to ignore it 162 187 int index; … … 173 198 if (segments[i].equals(COLLECTION_PATH) && (i + 1) < segments.length) { 174 199 int j=i+1; 175 while(j+1 < segments.length && ! keywords.contains(segments[j+1])) {200 while(j+1 < segments.length && !_keywords.contains(segments[j+1])) { 176 201 j++; 177 202 } … … 393 418 return null; 394 419 } 395 420 396 421 397 422 private void securityCheckAssocFiles(String url, HttpServletRequest request, ServletResponse response) throws IOException, ServletException {
Note:
See TracChangeset
for help on using the changeset viewer.