Changeset 33619

Timestamp:

2019-11-04T11:36:56+13:00 (4 years ago)

Author:

kjdon

Message:

need to handle the case where a collection file (eg image) gets library in its url, but its not as assoc file. It doesn't need to go through the security checking, but we do need to remove library from its url

File:

• main/trunk/greenstone3/src/java/org/greenstone/gsdl3/core/URLFilter.java (modified) (8 diffs)

main/trunk/greenstone3/src/java/org/greenstone/gsdl3/core/URLFilter.java

@@ -49 +49 @@
   protected static final String USERS_DB_URL = "etc/usersDB/.*";
   protected static final ArrayList<String> _restrictedURLs;
+
   static
   {
@@ -56 +57 @@
     _restrictedURLs = restrictedURLs;
   }
-
+  
   //Constants
   protected static final String DOCUMENT_PATH = "document";
@@ -65 +66 @@
   protected static final String BROWSE_PATH = "browse";
   protected static final String SEARCH_PATH = "search";
-
+  protected static final ArrayList<String> _keywords;
+
+  static
+  {
+    ArrayList<String> keywords = new ArrayList<String>();
+    keywords.add(PAGE_PATH);
+    keywords.add(BROWSE_PATH);
+    keywords.add(SEARCH_PATH);
+    keywords.add(DOCUMENT_PATH);
+    _keywords = keywords;
+  }
+  
   protected static final String METADATA_RETRIEVAL_SERVICE = "DocumentMetadataRetrieve";
   protected static final String ASSOCIATED_FILE_PATH = "/index/assoc/";
@@ -116 +128 @@
       return;
     }
- 
+     
     // Run security checks on files requested from a collection's index/assoc folder
     if (url.contains(ASSOCIATED_FILE_PATH)) {
@@ -128 +140 @@
       return;
     }
+
+    //
+    if (url.contains(SITES_PATH)) {
+      // there are some site/collection images that are not associated files.
+      // these dont need to be security checked, but we need to remove the library name from the url if its there
+      String context_path = context.getContextPath();
+      String regex = context_path+"/.+"+SITES_PATH+".*";
+      if (url.matches(regex)) {
+    // a forward doesn't want the context path
+    String new_url = url.substring(url.indexOf(SITES_PATH));
+    request.getRequestDispatcher(new_url).forward(request, response);
+    return;
+      }
+      // else if it doesn't match, ie the url was /greenstone3/sites/...
+      // we don't do anything and just let it continue
+    }
+    
+      
 
     // if we are asking for an interface file, and it doesn't exist, then
@@ -154 +184 @@
     else
       {
-    ArrayList<String> keywords = new ArrayList<String>();
-    keywords.add(PAGE_PATH);
-    keywords.add(BROWSE_PATH);
-    keywords.add(SEARCH_PATH);
-    keywords.add(DOCUMENT_PATH);
     //If we have a jsessionid on the end of our URL we want to ignore it
     int index;
@@ -173 +198 @@
         if (segments[i].equals(COLLECTION_PATH) && (i + 1) < segments.length) {
           int j=i+1;
-          while(j+1 < segments.length && !keywords.contains(segments[j+1])) {
+          while(j+1 < segments.length && !_keywords.contains(segments[j+1])) {
         j++;
           }
@@ -393 +418 @@
       return null;
   }
-      
+
 
   private void securityCheckAssocFiles(String url, HttpServletRequest request, ServletResponse response) throws IOException, ServletException {