JSPWIKI-1239 a string length check added to prevent duplicate email c…

ChangeLog.md

@@ -16,9 +16,24 @@ KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->
+
+**2025-11-13 Alex O'Ree (alexoree AT apache DOT org)**
+
+* _3.0.0-git-06_
+
+* Dependency Updates 
+	* commons-validator (added) at 1.10.0
+
+* [JSPWIKI-1239](https://issues.apache.org/jira/browse/JSPWIKI-1239) New user signup says the email is optional, but does not accept blank since it's already in use by the admin account
+* [JSPWIKI-1243](https://issues.apache.org/jira/browse/JSPWIKI-1243 Email validation rouine is incorrect (unicode symbols and more)
+* NOJIRA disables and removes the ClearSiteData Servlet Filter which broke CSRF token checks
+
+
+
 **2025-11-13 Alex O'Ree (alexoree AT apache DOT org)**
 
 * _3.0.0-git-05_
+
 * Dependency Updates 
 	* Tomcat updated to 10.1.49
 

jspwiki-api/src/main/java/org/apache/wiki/api/Release.java

@@ -69,7 +69,7 @@ public final class Release {
      *  <p>
      *  If the build identifier is empty, it is not added.
      */
-    public static final String     BUILD         = "05";
+    public static final String     BUILD         = "06";
 
     /**
      *  This is the generic version string you should use when printing out the version.  It is of

jspwiki-main/pom.xml

@@ -106,6 +106,11 @@
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-collections4</artifactId>
         </dependency>
+
+        <dependency>
+            <groupId>commons-validator</groupId>
+            <artifactId>commons-validator</artifactId>
+        </dependency>
 
         <dependency>
             <groupId>org.apache.commons</groupId>

jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultUserManager.java

@@ -382,15 +382,17 @@ public void validateProfile( final Context context, final UserProfile profile )
         } catch( final NoSuchPrincipalException e ) { /* It's clean */ }
 
         // It's illegal to use multiple accounts with the same email
-        try {
-            otherProfile = getUserDatabase().findByEmail( email );
-            if( otherProfile != null && !profile.getUid().equals( otherProfile.getUid() ) // Issue JSPWIKI-1042
-                    && !profile.equals( otherProfile ) && StringUtils.lowerCase( email )
-                    .equals( StringUtils.lowerCase( otherProfile.getEmail() ) ) ) {
-                final Object[] args = { email };
-                session.addMessage( SESSION_MESSAGES, MessageFormat.format( rb.getString( "security.error.email.taken" ), args ) );
-            }
-        } catch( final NoSuchPrincipalException e ) { /* It's clean */ }
+        if (email != null && email.trim().length() > 0) {
+            try {
+                otherProfile = getUserDatabase().findByEmail( email );
+                if( otherProfile != null && !profile.getUid().equals( otherProfile.getUid() ) // Issue JSPWIKI-1042
+                        && !profile.equals( otherProfile ) && StringUtils.lowerCase( email )
+                        .equals( StringUtils.lowerCase( otherProfile.getEmail() ) ) ) {
+                    final Object[] args = { email };
+                    session.addMessage( SESSION_MESSAGES, MessageFormat.format( rb.getString( "security.error.email.taken" ), args ) );
+                }
+            } catch( final NoSuchPrincipalException e ) { /* It's clean */ }
+        }
     }
 
     /** {@inheritDoc} */

jspwiki-main/src/main/java/org/apache/wiki/tasks/auth/SaveUserProfileTask.java

@@ -70,7 +70,7 @@ public Outcome execute( final Context context ) throws WikiException {
         context.getEngine().getManager( UserManager.class ).getUserDatabase().save( profile );
 
         // Send e-mail if user supplied an e-mail address
-        if ( profile != null && profile.getEmail() != null ) {
+        if ( profile != null && profile.getEmail() != null && profile.getEmail().length() > 0 ) {
             try {
                 final InternationalizationManager i18n = context.getEngine().getManager( InternationalizationManager.class );
                 final String app = context.getEngine().getApplicationName();

jspwiki-main/src/main/java/org/apache/wiki/ui/InputValidator.java

@@ -27,6 +27,7 @@ Licensed to the Apache Software Foundation (ASF) under one
 import java.util.ResourceBundle;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import org.apache.commons.validator.routines.EmailValidator;
 
 /**
  * Provides basic validation services for HTTP parameters. Three standard validators are provided: email address, identifier and
@@ -49,7 +50,6 @@ public final class InputValidator {
      * @since 2.4.82
      */
     static final Pattern ID_PATTERN     = Pattern.compile( "[\\x00\\r\\n\\x0f\"'<>;&\\xff{}]" );
-    static final Pattern EMAIL_PATTERN  = Pattern.compile( "^[0-9a-zA-Z-_.+]+@([0-9a-zA-Z-_]+\\.)+[a-zA-Z]+$" );
     static final Pattern UNSAFE_PATTERN = Pattern.compile( "[\\x00\\r\\n\\x0f\"':<>\\[\\];#&@\\xff{}$%\\\\]" );
 
     private final String m_form;
@@ -130,8 +130,7 @@ public boolean validate( final String input, final String label, final int type
             }
             return valid;
         case EMAIL:
-            matcher = EMAIL_PATTERN.matcher( input );
-            valid = matcher.matches();
+            valid = EmailValidator.getInstance().isValid(input);
             if ( !valid ) {
                 final Object[] args = { label };
                 m_session.addMessage( m_form, MessageFormat.format( rb.getString( "validate.invalidemail" ), args ) );

jspwiki-war/src/main/webapp/Login.jsp

@@ -56,7 +56,7 @@
     // Are we saving the profile?
     if( "saveProfile".equals( request.getParameter( "action" ) ) ) {
         if( !CsrfProtectionFilter.isCsrfProtectedPost( request ) ) {
-            response.sendRedirect( "/error/Forbidden.html" );
+            response.sendRedirect( "error/Forbidden.html" );
             return;
         }
 

jspwiki-war/src/main/webapp/WEB-INF/web.xml

@@ -106,14 +106,7 @@
      <filter-name>CORPFilter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>
-   <filter>
-     <filter-name>ClearSiteDataFilter</filter-name>
-     <filter-class>org.apache.wiki.http.filter.ClearSiteDataFilter</filter-class>
-   </filter>
-   <filter-mapping>
-     <filter-name>ClearSiteDataFilter</filter-name>
-     <url-pattern>/*</url-pattern>
-   </filter-mapping>
+
    <filter>
      <filter-name>ContentTypeOptionsFilter</filter-name>
      <filter-class>org.apache.wiki.http.filter.ContentTypeOptionsFilter</filter-class>

pom.xml

@@ -53,6 +53,7 @@
     <commons-lang.version>3.19.0</commons-lang.version>
     <commons-net.version>3.12.0</commons-net.version>
     <commons-text.version>1.14.0</commons-text.version>
+    <commons-validator.version>1.10.0</commons-validator.version>
     <ehcache.version>2.10.9.2</ehcache.version>
     <flexmark.version>0.64.8</flexmark.version>
     <freshcookies-security.version>0.60</freshcookies-security.version>
@@ -172,6 +173,12 @@
           <artifactId>commons-net</artifactId>
           <version>${commons-net.version}</version>
       </dependency>
+
+      <dependency>
+          <groupId>commons-validator</groupId>
+          <artifactId>commons-validator</artifactId>
+          <version>${commons-validator.version}</version>
+      </dependency>
 
       <dependency><!-- https://jakartaee.github.io/mail-api/README-JakartaMail#Download_Jakarta_Mail_Release -->
         <groupId>com.sun.mail</groupId>