Skip to content
Permalink
Browse files Browse the repository at this point in the history
XWIKI-19549: Disallow template override for login, register and skin
* Also allow `registerinline` template for RegisterAction.
  • Loading branch information
michitux committed Mar 25, 2022
1 parent 71a6d0b commit 9b7057d
Showing 1 changed file with 9 additions and 3 deletions.
Expand Up @@ -19,6 +19,9 @@
*/
package com.xpn.xwiki.web;

import java.util.Arrays;
import java.util.List;

import javax.inject.Named;
import javax.inject.Singleton;
import javax.script.ScriptContext;
Expand Down Expand Up @@ -55,17 +58,20 @@ public class RegisterAction extends XWikiAction
/** Space where the registration config and class are stored. */
private static final String WIKI_SPACE = "XWiki";

/** Allowed templates for this action. */
private static final List<String> ALLOWED_TEMPLATES = Arrays.asList(REGISTER, "registerinline");

@Override
public boolean action(XWikiContext context) throws XWikiException
{
XWiki xwiki = context.getWiki();
XWikiRequest request = context.getRequest();
XWikiResponse response = context.getResponse();

// Disallow template override with xpage parameter.
if (!REGISTER.equals(Utils.getPage(context.getRequest(), REGISTER))) {
// Limit template overrides with xpage to allowed templates.
if (!ALLOWED_TEMPLATES.contains(Utils.getPage(context.getRequest(), REGISTER))) {
throw new XWikiException(XWikiException.MODULE_XWIKI, XWikiException.ERROR_XWIKI_ACCESS_DENIED,
String.format("Template may not be overriden with 'xpage' in [%s] action.", REGISTER));
String.format("Forbidden template override with 'xpage' in [%s] action.", REGISTER));
}

String register = request.getParameter(REGISTER);
Expand Down

0 comments on commit 9b7057d

Please sign in to comment.