Merge remote-tracking branch 'origin/3.2.x' into develop

geonetwork · Feb 10, 2017 · 246feae · 246feae
2 parents 6058bd5 + c55680f
commit 246feae
Show file tree

Hide file tree

Showing 240 changed files with 13,074 additions and 7,733 deletions.
diff --git a/common/src/main/java/org/fao/geonet/utils/FilePathChecker.java b/common/src/main/java/org/fao/geonet/utils/FilePathChecker.java
@@ -0,0 +1,58 @@
+//=============================================================================
+//===	Copyright (C) 2001-2005 Food and Agriculture Organization of the
+//===	United Nations (FAO-UN), United Nations World Food Programme (WFP)
+//===	and United Nations Environment Programme (UNEP)
+//===
+//===	This library is free software; you can redistribute it and/or
+//===	modify it under the terms of the GNU Lesser General Public
+//===	License as published by the Free Software Foundation; either
+//===	version 2.1 of the License, or (at your option) any later version.
+//===
+//===	This library is distributed in the hope that it will be useful,
+//===	but WITHOUT ANY WARRANTY; without even the implied warranty of
+//===	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+//===	Lesser General Public License for more details.
+//===
+//===	You should have received a copy of the GNU Lesser General Public
+//===	License along with this library; if not, write to the Free Software
+//===	Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+//===
+//===	Contact: Jeroen Ticheler - FAO - Viale delle Terme di Caracalla 2,
+//===	Rome - Italy. email: GeoNetwork@fao.org
+//==============================================================================
+
+package org.fao.geonet.utils;
+
+import org.fao.geonet.exceptions.BadParameterEx;
+
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+/**
+ * Utility class to validate a file path.
+ *
+ * @author josegar
+ */
+public class FilePathChecker {
+
+    /**
+     * Checks that a file path is not absolute path and doesn't have .. characters, throwing an exception
+     * in these cases.
+     *
+     * @param filePath
+     * @throws Exception
+     */
+    public static void verify(String filePath) throws Exception {
+        if (filePath.contains("..")) {
+            throw new BadParameterEx(
+                    "Invalid character found in path.",
+                    filePath);
+        }
+
+        Path path = Paths.get(filePath);
+        if (path.isAbsolute() || filePath.startsWith("/") ||
+                filePath.startsWith("://", 1))  {
+            throw new SecurityException("Wrong filename");
+        }
+    }
+}
diff --git a/common/src/main/java/org/fao/geonet/utils/NoOpEntityResolver.java b/common/src/main/java/org/fao/geonet/utils/NoOpEntityResolver.java
@@ -0,0 +1,12 @@
+package org.fao.geonet.utils;
+
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+
+import java.io.StringReader;
+
+public class NoOpEntityResolver implements EntityResolver {
+    public InputSource resolveEntity(String publicId, String systemId) {
+        return new InputSource(new StringReader(""));
+    }
+}
diff --git a/common/src/main/java/org/fao/geonet/utils/Xml.java b/common/src/main/java/org/fao/geonet/utils/Xml.java
@@ -137,8 +137,14 @@ private static SAXBuilder getSAXBuilder(boolean validate, Path base) {
     private static SAXBuilder getSAXBuilderWithPathXMLResolver(boolean validate, Path base) {
         SAXBuilder builder = new SAXBuilder(validate);
         builder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-        NioPathHolder.setBase(base);
-        builder.setEntityResolver(Xml.PATH_RESOLVER);
+
+        if (base != null) {
+            NioPathHolder.setBase(base);
+            builder.setEntityResolver(Xml.PATH_RESOLVER);
+        } else {
+            builder.setEntityResolver(new NoOpEntityResolver());
+        }
+
         return builder;
     }
 

diff --git a/core/src/main/java/org/fao/geonet/kernel/AccessManager.java b/core/src/main/java/org/fao/geonet/kernel/AccessManager.java
@@ -26,6 +26,7 @@
 import jeeves.server.UserSession;
 import jeeves.server.context.ServiceContext;
 
+import org.apache.commons.lang.StringUtils;
 import org.fao.geonet.ApplicationContextHolder;
 import org.fao.geonet.domain.Group;
 import org.fao.geonet.domain.Metadata;
@@ -480,10 +481,11 @@ else if (ip.indexOf(':') >= 0) {
 
         SettingRepository settingRepository= ApplicationContextHolder.get().getBean(SettingRepository.class);
         Setting network = settingRepository.findOne(Settings.SYSTEM_INTRANET_NETWORK);
-        Setting netmask = settingRepository.findOne(Settings.SYSTEM_INTRANET_NETWORK);
+        Setting netmask = settingRepository.findOne(Settings.SYSTEM_INTRANET_NETMASK);
 
         try {
-            if (network != null && netmask != null) {
+            if (network != null && netmask != null &&
+                StringUtils.isNotEmpty(network.getValue()) && StringUtils.isNotEmpty(netmask.getValue())) {
                 long lIntranetNet = getAddress(network.getValue());
                 long lIntranetMask = getAddress(netmask.getValue());
                 long lAddress = getAddress(ip.split(",")[0]);

diff --git a/core/src/main/java/org/fao/geonet/kernel/DataManager.java b/core/src/main/java/org/fao/geonet/kernel/DataManager.java
@@ -40,7 +40,6 @@
 
 import org.apache.commons.lang.StringUtils;
 import org.eclipse.jetty.util.ConcurrentHashSet;
-import org.eclipse.jetty.util.StringUtil;
 import org.fao.geonet.ApplicationContextHolder;
 import org.fao.geonet.GeonetContext;
 import org.fao.geonet.NodeInfo;
@@ -594,7 +593,7 @@ public void indexMetadata(final String metadataId, boolean forceRefreshReaders)
             int id$ = Integer.parseInt(metadataId);
 
             // get metadata, extracting and indexing any xlinks
-            Element md = getXmlSerializer().selectNoXLinkResolver(metadataId, true);
+            Element md = getXmlSerializer().selectNoXLinkResolver(metadataId, true, false);
             if (getXmlSerializer().resolveXLinks()) {
                 List<Attribute> xlinks = Processor.getXLinks(md);
                 if (xlinks.size() > 0) {
@@ -1394,8 +1393,6 @@ public void increasePopularity(ServiceContext srvContext, String id) throws Exce
             // Update the popularity in database
             int iId = Integer.parseInt(id);
             getMetadataRepository().incrementPopularity(iId);
-            _entityManager.flush();
-            _entityManager.clear();
 
             // And register the metadata to be indexed in the near future
             final IndexingList list = srvContext.getBean(IndexingList.class);
@@ -1632,6 +1629,16 @@ public Metadata insertMetadata(ServiceContext context, Metadata newMetadata, Ele
     public Element getMetadataNoInfo(ServiceContext srvContext, String id) throws Exception {
         Element md = getMetadata(srvContext, id, false, false, false);
         md.removeChild(Edit.RootChild.INFO, Edit.NAMESPACE);
+
+        // Drop Geonet namespace declaration. It may be contained
+        // multiple times, so loop on all.
+        final List<Namespace> additionalNamespaces =
+            new ArrayList<>(md.getAdditionalNamespaces());
+        for (Namespace n : additionalNamespaces) {
+            if (Edit.NAMESPACE.getURI().equals(n.getURI())) {
+                md.removeNamespaceDeclaration(Edit.NAMESPACE);
+            }
+        }
         return md;
     }
 
@@ -1640,7 +1647,7 @@ public Element getMetadataNoInfo(ServiceContext srvContext, String id) throws Ex
      * in the same transaction.
      */
     public Element getMetadata(String id) throws Exception {
-        Element md = getXmlSerializer().selectNoXLinkResolver(id, false);
+        Element md = getXmlSerializer().selectNoXLinkResolver(id, false, false);
         if (md == null) return null;
         md.detach();
         return md;
@@ -1658,7 +1665,7 @@ public Element getMetadata(String id) throws Exception {
     public Element getMetadata(ServiceContext srvContext, String id, boolean forEditing,
                                boolean withEditorValidationErrors, boolean keepXlinkAttributes) throws Exception {
         boolean doXLinks = getXmlSerializer().resolveXLinks();
-        Element metadataXml = getXmlSerializer().selectNoXLinkResolver(id, false);
+        Element metadataXml = getXmlSerializer().selectNoXLinkResolver(id, false, forEditing);
         if (metadataXml == null) return null;
 
         String version = null;

diff --git a/core/src/main/java/org/fao/geonet/kernel/EditLib.java b/core/src/main/java/org/fao/geonet/kernel/EditLib.java
@@ -45,12 +45,27 @@
 import org.jaxen.JaxenException;
 import org.jaxen.SimpleNamespaceContext;
 import org.jaxen.jdom.JDOMXPath;
-import org.jdom.*;
+import org.jdom.Attribute;
+import org.jdom.Content;
+import org.jdom.Element;
+import org.jdom.JDOMException;
+import org.jdom.Namespace;
+import org.jdom.Text;
 import org.jdom.filter.ElementFilter;
 
 import java.io.IOException;
 import java.io.StringReader;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.BitSet;
+import java.util.Hashtable;
+import java.util.Iterator;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.UUID;
+import java.util.Vector;
 
 /**
  * TODO javadoc.
@@ -422,7 +437,7 @@ public void addXMLFragments(String schema, Element md, Map<String, String> xmlIn
                             @SuppressWarnings("unchecked")
                             List<Element> children = node.getChildren();
                             for (int i = 0; i < children.size(); i++) {
-                                el.addContent(children.get(i).detach());
+                                el.addContent((Element) children.get(i).clone());
                             }
                             List<Attribute> attributes = node.getAttributes();
                             for (Attribute a : attributes) {

diff --git a/core/src/main/java/org/fao/geonet/kernel/GeonetworkDataDirectory.java b/core/src/main/java/org/fao/geonet/kernel/GeonetworkDataDirectory.java
@@ -86,12 +86,22 @@ public class GeonetworkDataDirectory {
 
     /**
      * Check and create if needed GeoNetwork data directory.
-     *
-     * The data directory is the only mandatory value. If not set, the default location is {@link
-     * #getDefaultDataDir(java.nio.file.Path)}.
-     *
-     * All properties are set using : <ul> <ol> Java environment variable </ol> <ol> Servlet context
-     * parameter </ol> <ol> System environment variable </ol> </ul>
+     * <p>
+     * The data directory is the only mandatory value. If not set, the default location is
+     * {@link #getDefaultDataDir(java.nio.file.Path)}.
+     * <p>
+     * All properties are set using :
+     * <ul>
+     * <ol>
+     * Java environment variable
+     * </ol>
+     * <ol>
+     * Servlet context parameter
+     * </ol>
+     * <ol>
+     * System environment variable
+     * </ol>
+     * </ul>
      */
     public void init(final String webappName, final Path webappDir,
                      final ServiceConfig handlerConfig, final JeevesServlet jeevesServlet) throws IOException {
@@ -123,19 +133,20 @@ public void init(final String webappName, final Path webappDir, Path systemDataD
     }
 
     /**
-     * Determines the location of a property based on the following lookup mechanism:
-     *
-     * 1) Java environment variable 2) Servlet context variable 3) Config.xml appHandler parameter
-     * 4) System variable
-     *
-     * For each of these, the methods checks that 1) The path exists 2) Is a directory 3) Is
-     * writable
-     *
+     * Determines the location of a property based on the
+     * following lookup mechanism:
+     * <p>
+     * 1) Java environment variable 2) Servlet context variable 3) Config.xml appHandler parameter 4) System
+     * variable
+     * <p>
+     * For each of these, the methods checks that 1) The path exists 2) Is a
+     * directory 3) Is writable
+     * <p>
      * Inspired by GeoServer mechanism.
      *
      * @param handlerConfig TODO
-     * @return String The absolute path to the data directory, or <code>null</code> if it could not
-     * be found.
+     * @return String The absolute path to the data directory, or
+     * <code>null</code> if it could not be found.
      */
     private Path lookupProperty(JeevesServlet jeevesServlet, ServiceConfig handlerConfig, String key) {
 
@@ -329,7 +340,8 @@ private void updateSystemDataDirWithNodeSuffix() {
     }
 
     /**
-     * Checks if data directory is empty or not. If empty, add mandatory elements (ie. codelist).
+     * Checks if data directory is empty or not. If empty, add mandatory
+     * elements (ie. codelist).
      */
     private void initDataDirectory() throws IOException {
         Log.info(Geonet.DATA_DIRECTORY, "   - Data directory initialization ...");
@@ -432,11 +444,17 @@ private Path getDefaultDataDir(Path webappDir) {
     }
 
     /**
-     * Try to retrieve from system properties the variable with name <webapp.name>.key. If not set,
-     * create the resource folder using <geonetwork.dir>/folder and set the system property value.
-     * Create the folder if does not exist.
+     * Try to retrieve from system properties the variable with name
+     * <webapp.name>.key. If not set, create the resource folder using
+     * <geonetwork.dir>/folder and set the system property value. Create the
+     * folder if does not exist.
      *
-     * @param handlerKey @return
+     * @param jeevesServlet
+     * @param webappName
+     * @param handlerConfig
+     * @param key
+     * @param handlerKey    @return
+     * @param firstPathSeg
      */
     private Path setDir(JeevesServlet jeevesServlet, String webappName,
                         ServiceConfig handlerConfig, Path dir, String key, String handlerKey, String firstPathSeg, String... otherSegments) {

diff --git a/core/src/main/java/org/fao/geonet/kernel/SelectionManager.java b/core/src/main/java/org/fao/geonet/kernel/SelectionManager.java
@@ -27,6 +27,7 @@
 import jeeves.server.UserSession;
 import jeeves.server.context.ServiceContext;
 
+import org.apache.commons.lang.StringUtils;
 import org.fao.geonet.GeonetContext;
 import org.fao.geonet.constants.Edit;
 import org.fao.geonet.constants.Geonet;
@@ -48,6 +49,7 @@
 public class SelectionManager {
 
     public static final String SELECTION_METADATA = "metadata";
+    public static final String SELECTION_BUCKET = "bucket";
     // used to limit select all if get system setting maxrecords fails or contains value we can't parse
     public static final int DEFAULT_MAXHITS = 1000;
     public static final String ADD_ALL_SELECTED = "add-all";
@@ -70,14 +72,16 @@ private SelectionManager() {
      * session</li> <li>set selected false if result element not in session</li> </ul> </p>
      *
      * @param result the result modified<br/>
-     * @see org.fao.geonet.services.main.Result <br/>
      */
     public static void updateMDResult(UserSession session, Element result) {
+        updateMDResult(session, result, SELECTION_METADATA);
+    }
+    public static void updateMDResult(UserSession session, Element result, String bucket) {
         SelectionManager manager = getManager(session);
         @SuppressWarnings("unchecked")
         List<Element> elList = result.getChildren();
 
-        Set<String> selection = manager.getSelection(SELECTION_METADATA);
+        Set<String> selection = manager.getSelection(bucket);
 
         for (Element element : elList) {
             if (element.getName().equals(Geonet.Elem.SUMMARY)) {
@@ -94,8 +98,8 @@ public static void updateMDResult(UserSession session, Element result) {
                     .setText("false"));
             }
         }
-        result.setAttribute(Edit.Info.Elem.SELECTED, Integer
-            .toString(selection.size()));
+        result.setAttribute(Edit.Info.Elem.SELECTED,
+            selection == null ? "0" : Integer.toString(selection.size()));
     }
 
     /**
@@ -221,8 +225,9 @@ public void selectAll(String type, ServiceContext context, UserSession session)
         if (selection != null)
             selection.clear();
 
-        if (type.equals(SELECTION_METADATA)) {
-            Element request = (Element) session.getProperty(Geonet.Session.SEARCH_REQUEST);
+//        if (type.equals(SELECTION_METADATA)) {
+        if (StringUtils.isNotEmpty(type)) {
+            Element request = (Element) session.getProperty(Geonet.Session.SEARCH_REQUEST + type);
             Object searcher = null;
 
             // Run last search if xml.search or q service is used (ie. last searcher is not stored in current session).
@@ -239,7 +244,7 @@ public void selectAll(String type, ServiceContext context, UserSession session)
                     e.printStackTrace();
                 }
             } else {
-                searcher = session.getProperty(Geonet.Session.SEARCH_RESULT);
+                searcher = session.getProperty(Geonet.Session.SEARCH_RESULT + type);
             }
             if (searcher == null)
                 return;
@@ -286,6 +291,12 @@ public void close() {
      * @return Set<String>
      */
     public Set<String> getSelection(String type) {
+        Set<String> sel = selections.get(type);
+        if (sel == null) {
+            Set<String> MDSelection = Collections
+                .synchronizedSet(new HashSet<String>(0));
+            selections.put(type, MDSelection);
+        }
         return selections.get(type);
     }