bug #4737 : Add a whitelist of files that can be uploaded. The whitelist is based upon the file extension.

Author: mmoqui

websites/websites-config/src/main/config/properties/org/silverpeas/webSites/settings/webSiteSettings.properties

@@ -21,6 +21,8 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
-Machine = 
+Machine =
 Context = website
-uploadsPath = /Silverpeas/KMEdition/Production/
+uploadsPath = /Silverpeas/KMEdition/Production/
+# while list of file extension permitted for the file upload
+whiteList = html htm js odt doc pdf

websites/websites-war/src/main/java/com/stratelia/webactiv/webSites/control/WebSiteSessionController.java

@@ -58,13 +58,15 @@
 import java.io.File;
 import java.rmi.RemoteException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Date;
 import java.util.Iterator;
 import java.util.List;
 import javax.ejb.EJBException;
 import javax.xml.bind.JAXBException;
 import org.apache.commons.fileupload.FileItem;
+import org.apache.commons.io.FilenameUtils;
 
 import static com.silverpeas.pdc.model.PdcClassification.aPdcClassificationOfContent;
 
@@ -78,6 +80,7 @@ public class WebSiteSessionController extends AbstractComponentSessionController
   private String siteName;
   public final static String TAB_PDC = "tabPdc";
   private static final String WEBSITE_REPO_PROPERTY = "uploadsPath";
+  private static final String WEBSITE_WHITE_LIST = "whiteList";
 
   public WebSiteSessionController(MainSessionController mainSessionCtrl,
       ComponentContext componentContext) {
@@ -891,6 +894,18 @@ private String getFullPath(String relativePath) throws WebSitesException {
     return getWebSiteRepositoryPath() + relativePath;
   }
 
+  public int addFileIntoWebSite(String webSitePath, FileItem fileItem) throws Exception {
+    String fileName = FileUploadUtil.getFileName(fileItem);
+    if (isInWhiteList(fileName)) {
+      String path = getWebSiteRepositoryPath() + "/" + webSitePath;
+      File file = new File(path, fileName);
+      fileItem.write(file);
+      return 0;
+    } else {
+      return -2;
+    }
+  }
+
   /**
    * Creates a web site from the content of an archive file (a ZIP file).
    *
@@ -916,6 +931,14 @@ public int createWebSiteFromZipFile(SiteDetail descriptionSite, FileItem fileIte
       String cheminFichierZip = cheminZip + "/" + fichierZipName;
       unzip(cheminZip, cheminFichierZip);
 
+      /* check the files are thoses expected */
+      Collection<File> files = FileFolderManager.getAllFile(cheminZip);
+      for (File uploadedFile : files) {
+        if (!uploadedFile.getName().equals(fichierZipName) && !isInWhiteList(uploadedFile.getName())) {
+          return -2;
+        }
+      }
+
       /* verif que le nom de la page principale est correcte */
       Collection<File> collPages = getAllWebPages2(getWebSitePathById(descriptionSite.getId()));
       SilverTrace.debug("webSites", "RequestRouter.EffectiveUploadSiteZip",
@@ -944,4 +967,14 @@ public int createWebSiteFromZipFile(SiteDetail descriptionSite, FileItem fileIte
     }
     return 0;
   }
+
+  public boolean isInWhiteList(String fileName) {
+    String authorizedExtensions = getSettings().getString(WEBSITE_WHITE_LIST);
+    if (StringUtil.isDefined(authorizedExtensions)) {
+      List<String> whiteList = Arrays.asList(authorizedExtensions.split(" "));
+      String extension = FilenameUtils.getExtension(fileName).toLowerCase();
+      return whiteList.contains(extension);
+    }
+    return false;
+  }
 }

websites/websites-war/src/main/java/com/stratelia/webactiv/webSites/servlets/WebSitesRequestRouter.java

@@ -153,6 +153,7 @@ public String getDestination(String function, WebSiteSessionController scc,
         }
       } else if (function.startsWith("searchResult")) {
         String id = request.getParameter("Id"); /* id de la publication */
+
         String typeRequest = request.getParameter("Type");
 
         if ("Publication".equals(typeRequest) || "Site".equals(typeRequest)) {
@@ -209,8 +210,7 @@ public String getDestination(String function, WebSiteSessionController scc,
         String nameSite = request.getParameter("nameSite");
         String id = request.getParameter("id");
 
-        destination =
-            "http://" + getMachine(request) + URLManager.getApplicationURL()
+        destination = "http://" + getMachine(request) + URLManager.getApplicationURL()
             + "/wysiwyg/jsp/htmlEditor.jsp?";
         destination += "SpaceId=" + scc.getSpaceId();
 
@@ -222,9 +222,10 @@ public String getDestination(String function, WebSiteSessionController scc,
         destination += "&ObjectId=" + id;
         destination += "&FileName=" + URLEncoder.encode(name, "UTF-8");
         destination += "&Path=" + URLEncoder.encode(path, "UTF-8");
-        destination +=
-            "&ReturnUrl=" + URLEncoder.encode(URLManager.getApplicationURL() + URLManager.getURL(
-            scc.getSpaceId(), scc.getComponentId()) + "FromWysiwyg?path=" + path + "&name=" + name
+        destination += "&ReturnUrl=" + URLEncoder.encode(URLManager.getApplicationURL()
+            + URLManager.getURL(
+                scc.getSpaceId(), scc.getComponentId()) + "FromWysiwyg?path=" + path + "&name="
+            + name
             + "&nameSite=" + nameSite + "&profile=" + flag + "&id=" + id, "UTF-8");
         SilverTrace.info("webSites", "WebSitesRequestRouter.getDestination().ToWysiwyg",
             "root.MSG_GEN_PARAM_VALUE", "destination = " + destination);
@@ -302,12 +303,12 @@ public String getDestination(String function, WebSiteSessionController scc,
           String listeIcones = request.getParameter("ListeIcones");
 
           type = "design";
-          complete =
-              "&RecupParam=oui&Nom=" + nom + "&Description=" + description + "&Page=" + lapage
+          complete = "&RecupParam=oui&Nom=" + nom + "&Description=" + description + "&Page="
+              + lapage
               + "&ListeIcones=" + listeIcones;
         } else {
-          destination =
-              "/webSites/jsp/modifDesc.jsp?Id=" + id + "&path=" + currentPath + "&type=" + type;
+          destination = "/webSites/jsp/modifDesc.jsp?Id=" + id + "&path=" + currentPath + "&type="
+              + type;
         }
 
         destination = "/webSites/jsp/modifDesc.jsp?Id=" + id;
@@ -346,8 +347,7 @@ public String getDestination(String function, WebSiteSessionController scc,
           String childId = request.getParameter("ChildId");
           String name = request.getParameter("Name");
           String description = request.getParameter("Description");
-          NodeDetail folder =
-              new NodeDetail(childId, name, description, null, null, null, "0", "X");
+          NodeDetail folder = new NodeDetail(childId, name, description, null, null, null, "0", "X");
           scc.updateFolderHeader(folder, "");
           action = "Search";
         } else if (action.equals("Delete")) {
@@ -496,8 +496,8 @@ public String getDestination(String function, WebSiteSessionController scc,
         String newTopicName = request.getParameter("Name");
         String newTopicDescription = request.getParameter("Description");
 
-        NodeDetail folder =
-            new NodeDetail("X", newTopicName, newTopicDescription, null, null, null, "0", "X");
+        NodeDetail folder = new NodeDetail("X", newTopicName, newTopicDescription, null, null, null,
+            "0", "X");
         scc.addFolder(folder, "");
 
         destination = "/webSites/jsp/addTopic.jsp?Action=" + action + "&Id=" + fatherId;
@@ -520,8 +520,8 @@ public String getDestination(String function, WebSiteSessionController scc,
         request.setAttribute("ListSites", listeSites);
         request.setAttribute("CurrentFolder", scc.getSessionTopic());
 
-        destination =
-            "/webSites/jsp/classifyDeclassify.jsp?Action=" + action + "&TopicId=" + id + "&Path="
+        destination = "/webSites/jsp/classifyDeclassify.jsp?Action=" + action + "&TopicId=" + id
+            + "&Path="
             + linkedPathString;
       } else if (function.startsWith("manage.jsp")) {
         String action = request.getParameter("Action");
@@ -557,9 +557,9 @@ public String getDestination(String function, WebSiteSessionController scc,
           String id = scc.getNextId();
 
           /* Persist siteDetail inside database, type 1 = bookmark */
-          SiteDetail descriptionSite =
-              new SiteDetail(id, scc.getComponentId(), nomSite, description, nomPage, 1, null,
-              null, 0, popup);
+          SiteDetail descriptionSite
+              = new SiteDetail(id, scc.getComponentId(), nomSite, description, nomPage, 1, null,
+                  null, 0, popup);
           descriptionSite.setPositions(positions);
 
           String pubId = scc.createWebSite(descriptionSite);
@@ -668,8 +668,8 @@ public String getDestination(String function, WebSiteSessionController scc,
           int type = ancien.getType();
 
           /* update description en BD */
-          SiteDetail descriptionSite2 =
-              new SiteDetail(id, scc.getComponentId(), nomSite, description, nomPage, type, null,
+          SiteDetail descriptionSite2 = new SiteDetail(id, scc.getComponentId(), nomSite,
+              description, nomPage, type, null,
               null, etat, popup);
 
           scc.updateWebSite(descriptionSite2);
@@ -762,9 +762,9 @@ public String getDestination(String function, WebSiteSessionController scc,
           scc.createFolder(scc.getWebSitePathById(id));
 
           // Persist siteDetail inside database type 0 = site cree
-          SiteDetail descriptionSite =
-              new SiteDetail(id, scc.getComponentId(), nomSite, description, nomPage, 0, null,
-              null, 0, popup);
+          SiteDetail descriptionSite
+              = new SiteDetail(id, scc.getComponentId(), nomSite, description, nomPage, 0, null,
+                  null, 0, popup);
           descriptionSite.setPositions(positions);
 
           String pubId = scc.createWebSite(descriptionSite);
@@ -859,8 +859,8 @@ public String getDestination(String function, WebSiteSessionController scc,
 
           boolean searchOk = ok;
 
-          SiteDetail descriptionSite2 =
-              new SiteDetail(id, scc.getComponentId(), nomSite, description, nomPage, type, null,
+          SiteDetail descriptionSite2 = new SiteDetail(id, scc.getComponentId(), nomSite,
+              description, nomPage, type, null,
               null, Integer
               .parseInt(etat), popup);
 
@@ -1011,17 +1011,15 @@ public String getDestination(String function, WebSiteSessionController scc,
         destination = "/webSites/jsp/design.jsp?Action=design&path=" + currentPath + "&Id=" + id;
       } else if (function.equals("EffectiveUploadFile")) {
         List<FileItem> items = FileUploadUtil.parseRequest(request);
-
+        boolean status = true;
         String thePath = FileUploadUtil.getParameter(items, "path");
         scc.checkPath(thePath);
         FileItem item = FileUploadUtil.getFile(items);
         if (item != null) {
-          String fileName = FileUploadUtil.getFileName(item);
-          File file = new File(thePath, fileName);
-          item.write(file);
+          status = (scc.addFileIntoWebSite(thePath, item) == 0);
         }
 
-        request.setAttribute("UploadOk", Boolean.TRUE);
+        request.setAttribute("UploadOk", status);
 
         destination = "/webSites/jsp/uploadFile.jsp?path=" + thePath;
       } else if (function.startsWith("descUpload.jsp")) {
@@ -1048,9 +1046,9 @@ public String getDestination(String function, WebSiteSessionController scc,
           String id = scc.getNextId();
 
           // Persist uploaded website inside database, type=2
-          SiteDetail descriptionSite =
-              new SiteDetail(id, scc.getComponentId(), nomSite, description, nomPage, 2, null,
-              null, 0, popup);
+          SiteDetail descriptionSite
+              = new SiteDetail(id, scc.getComponentId(), nomSite, description, nomPage, 2, null,
+                  null, 0, popup);
 
           descriptionSite.setPositions(positions);
           int result = scc.createWebSiteFromZipFile(descriptionSite, fileItem);
@@ -1462,6 +1460,7 @@ private String parseCodeSupprHref(WebSiteSessionController scc, String code,
     String apres;
     int index;
     String href = "<A href=\""; /* longueur de chaine = 9 */
+
     String finChemin;
     String fichier;
     String deb;
@@ -1477,9 +1476,11 @@ private String parseCodeSupprHref(WebSiteSessionController scc, String code,
       apres = theCode.substring(index + 9);
 
       if (apres.substring(0, 7).equals("http://")) { /* lien externe */
+
         theReturn = avant
             + parseCodeSupprHref(scc, apres, settings, currentPath);
       } else if (apres.substring(0, 6).equals("ftp://")) { /* lien externe */
+
         theReturn = avant
             + parseCodeSupprHref(scc, apres, settings, currentPath);
       } else if (apres.substring(0, 3).equals("rr:")) { /* deja en relatif */