Changeset 32366


Ignore:
Timestamp:
2018-08-23T13:37:52+12:00 (6 years ago)
Author:
kjdon
Message:

instead of blindly copying the paramList into the new pageRequest element going into the page response, look through the paramLIst/param elements - if any have SENSITIVE attribute, remove them from the list. prevent password info being stored in the page response.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • main/trunk/greenstone3/src/java/org/greenstone/gsdl3/core/Receptionist.java

    r30586 r32366  
    1717import org.w3c.dom.Node;
    1818import org.w3c.dom.NodeList;
     19import org.w3c.dom.NamedNodeMap;
    1920
    2021/**
     
    273274
    274275        // the request is part of the page
    275         page.appendChild(GSXML.duplicateWithNewName(doc, request, GSXML.PAGE_REQUEST_ELEM, true));
     276        page.appendChild(duplicateRequest(doc, request));
    276277        // add the response too
    277278        Element page_response = GSXML.duplicateWithNewName(doc, (Element) GSXML.getChildByTagName(action_response, GSXML.RESPONSE_ELEM), GSXML.PAGE_RESPONSE_ELEM, true);
     
    293294    }
    294295
     296  // This is pretty much a straight copy of the Element, with a new top root node name, but also, removing any NOSAVE parameters.
     297  protected Element duplicateRequest(Document owner, Element request) {
     298   
     299    Element duplicate;
     300    duplicate = owner.createElement(GSXML.PAGE_REQUEST_ELEM);
     301    // Copy element attributes
     302    NamedNodeMap attributes = request.getAttributes();
     303    for (int i = 0; i < attributes.getLength(); i++)
     304      {
     305    Node attribute = attributes.item(i);
     306    duplicate.setAttribute(attribute.getNodeName(), attribute.getNodeValue());
     307      }
     308    // Copy element children
     309    NodeList children = request.getChildNodes();
     310    for (int i = 0; i < children.getLength(); i++)
     311      {
     312    Node child = children.item(i);
     313    if (child.getNodeName().equals(GSXML.PARAM_ELEM + GSXML.LIST_MODIFIER)) {
     314      Element param_list = (Element)owner.importNode(child, true);
     315      NodeList params = param_list.getElementsByTagName(GSXML.PARAM_ELEM);
     316      for (int j=params.getLength()-1; j>=0; j--) {
     317        Element p = (Element)params.item(j);
     318        if (!p.getAttribute(GSXML.SENSITIVE_ATT).equals("")) {
     319          logger.error("removing param "+p.getAttribute("name"));
     320          param_list.removeChild(p);
     321        }
     322      }
     323        duplicate.appendChild(param_list);
     324    } else {
     325      duplicate.appendChild(owner.importNode(child, true));
     326    }
     327      }
     328     
     329   
     330    return duplicate;
     331 
     332
     333 
     334
     335  }
    295336    protected boolean setUpBaseInterface(String base_interface)
    296337    {
Note: See TracChangeset for help on using the changeset viewer.