Merge pull request #6 from lendup/1.2.6-security-compiled-regex

1.2.6 security compiled regex

.travis.yml

@@ -0,0 +1,14 @@
+language: java
+jdk:
+  - openjdk6 
+script: ant -buildfile ./framework/build.xml test
+after_failure: 
+    cat ./samples-and-tests/just-test-cases/test-result/*.failed.html
+    cat ./samples-and-tests/forum/test-result/*.failed.html
+    cat ./samples-and-tests/zencontact/test-result/*.failed.html
+    cat ./samples-and-tests/jobboard/test-result/*.failed.html
+    cat ./samples-and-tests/yabe/test-result/*.failed.html
+notifications:
+  email:
+    on_success: change
+    on_failure: always

documentation/manual/releasenotes-1.2.5.5.textile

@@ -0,0 +1,4 @@
+h1. Play 1.2.5.5 -- Release notes
+
+Play 1.2.5.5 has been released of the 1.2.5.x-security maintenance branch.
+It was released to fix a vulnerability in play's URL builder (jsAction tag).

documentation/manual/releasenotes-1.2.6.1.textile

@@ -0,0 +1,4 @@
+h1. Play 1.2.6.1 -- Release notes
+
+Play 1.2.6.1 has been released of the 1.2.6.x-security maintenance branch.
+It was released to fix a vulnerability in play's URL builder (jsAction tag).

documentation/manual/releasenotes-1.2.6.2.textile

@@ -0,0 +1,8 @@
+h1. Play 1.2.6.2 -- Release notes
+
+Play 1.2.6.2 has been released of the 1.2.6.x-security maintenance branch.
+
+h2. What's fixed in Play 1.2.6.2
+
+Fix vulnerabilty : Reset current request to avoid 3rd-party to acquire session information for another in-progress request
+

framework/build.xml

@@ -85,7 +85,10 @@
                author="false"
                version="true"
                use="true"
-               windowtitle="Play! API">
+               windowtitle="Play! API"
+               encoding="UTF-8"
+               docencoding="UTF-8"
+               charset="UTF-8">
             <classpath refid="project.classpath"/>
             <doctitle><![CDATA[<h1>Play! ${version}</h1>]]></doctitle>
             <bottom><![CDATA[<a href="http://guillaume.bort.fr">Guillaume Bort</a> &amp; <a href="http://www.zenexity.fr">zenexity</a> - Distributed under <a href="http://www.apache.org/licenses/LICENSE-2.0.html">Apache 2 licence</a>, without any warrantly]]></bottom>

framework/src/play/db/DBPlugin.java

@@ -11,15 +11,19 @@
 import java.sql.DriverManager;
 import java.sql.DriverPropertyInfo;
 import java.sql.SQLException;
+import java.sql.SQLFeatureNotSupportedException;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Properties;
+
 import javax.naming.Context;
 import javax.naming.InitialContext;
 import javax.sql.DataSource;
 
 import jregex.Matcher;
+
 import org.apache.commons.lang.StringUtils;
+
 import play.Logger;
 import play.Play;
 import play.PlayPlugin;
@@ -338,6 +342,17 @@ public DriverPropertyInfo[] getPropertyInfo(String u, Properties p) throws SQLEx
         public boolean jdbcCompliant() {
             return this.driver.jdbcCompliant();
         }
+
+        // Method not annotated with @Override since getParentLogger() is a new method
+        // in the CommonDataSource interface starting with JDK7 and this annotation
+        // would cause compilation errors with JDK6.
+        public java.util.logging.Logger getParentLogger() throws SQLFeatureNotSupportedException {
+            try {
+                return (java.util.logging.Logger) Driver.class.getDeclaredMethod("getParentLogger").invoke(this.driver);
+            } catch (Throwable e) {
+                return null;
+            }
+        }
     }
 
     public static class PlayConnectionCustomizer implements ConnectionCustomizer {

framework/src/play/libs/XML.java

@@ -1,9 +1,6 @@
 package play.libs;
 
-import java.io.File;
-import java.io.IOException;
-import java.io.StringReader;
-import java.io.StringWriter;
+import java.io.*;
 import java.security.Key;
 import java.security.Provider;
 import java.security.interfaces.RSAPrivateKey;
@@ -26,6 +23,7 @@
 import javax.xml.crypto.dsig.keyinfo.KeyValue;
 import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
 import javax.xml.crypto.dsig.spec.TransformParameterSpec;
+import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.Transformer;
@@ -46,6 +44,25 @@
  */
 public class XML {
 
+    public static DocumentBuilderFactory newDocumentBuilderFactory() {
+        try {
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            return dbf;
+        } catch (ParserConfigurationException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static DocumentBuilder newDocumentBuilder() {
+        try {
+            return newDocumentBuilderFactory().newDocumentBuilder();
+        } catch (ParserConfigurationException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
     /**
      * Serialize to XML String
      * @param document The DOM document
@@ -58,7 +75,7 @@ public static String serialize(Document document) {
             Transformer transformer = factory.newTransformer();
             DOMSource domSource = new DOMSource(document);
             StreamResult streamResult = new StreamResult(writer);
-            transformer.transform(domSource, streamResult); 
+            transformer.transform(domSource, streamResult);
         } catch (TransformerException e) {
             throw new RuntimeException(
                     "Error when serializing XML document.", e);
@@ -69,18 +86,15 @@ public static String serialize(Document document) {
     /**
      * Parse an XML file to DOM
      * @return null if an error occurs during parsing.
-     * 
+     *
      */
     public static Document getDocument(File file) {
-        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
         try {
-            return dbf.newDocumentBuilder().parse(file);
+            return newDocumentBuilder().parse(file);
         } catch (SAXException e) {
             Logger.warn("Parsing error when building Document object from xml file '" + file + "'.", e);
         } catch (IOException e) {
             Logger.warn("Reading error when building Document object from xml file '" + file + "'.", e);
-        } catch (ParserConfigurationException e) {
-            Logger.warn("Parsing error when building Document object from xml file '" + file + "'.", e);
         }
         return null;
     }
@@ -91,15 +105,27 @@ public static Document getDocument(File file) {
      */
     public static Document getDocument(String xml) {
         InputSource source = new InputSource(new StringReader(xml));
-        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
         try {
-            return dbf.newDocumentBuilder().parse(source);
+            return newDocumentBuilder().parse(source);
         } catch (SAXException e) {
             Logger.warn("Parsing error when building Document object from xml data.", e);
         } catch (IOException e) {
             Logger.warn("Reading error when building Document object from xml data.", e);
-        } catch (ParserConfigurationException e) {
+        }
+        return null;
+    }
+
+    /**
+     * Parse an XML coming from an input stream to DOM
+     * @return null if an error occurs during parsing.
+     */
+    public static Document getDocument(InputStream stream) {
+        try {
+            return newDocumentBuilder().parse(stream);
+        } catch (SAXException e) {
             Logger.warn("Parsing error when building Document object from xml data.", e);
+        } catch (IOException e) {
+            Logger.warn("Reading error when building Document object from xml data.", e);
         }
         return null;
     }

framework/src/play/mvc/Router.java

@@ -509,11 +509,13 @@ public static ActionDefinition reverse(String action, Map<String, Object> args)
                                         try {
                                             queryString.append(URLEncoder.encode(key, encoding));
                                             queryString.append("=");
-                                            if (object.toString().startsWith(":")) {
-                                                queryString.append(object.toString());
-                                            } else {
-                                                queryString.append(URLEncoder.encode(object.toString() + "", encoding));
-                                            }
+                                            String objStr = object.toString();
+                                            // Special case to handle jsAction tag
+                                            if (objStr.startsWith(":")  && objStr.length() > 1) {
+                                              queryString.append(':');
+                                              objStr = objStr.substring(1);
+                                            } 
+                                            queryString.append(URLEncoder.encode(objStr + "", encoding));
                                             queryString.append("&");
                                         } catch (UnsupportedEncodingException ex) {
                                         }
@@ -524,11 +526,13 @@ public static ActionDefinition reverse(String action, Map<String, Object> args)
                                     try {
                                         queryString.append(URLEncoder.encode(key, encoding));
                                         queryString.append("=");
-                                        if (value.toString().startsWith(":")) {
-                                            queryString.append(value.toString());
-                                        } else {
-                                            queryString.append(URLEncoder.encode(value.toString() + "", encoding));
-                                        }
+                                        String objStr = value.toString();
+                                        // Special case to handle jsAction tag
+                                        if (objStr.startsWith(":") && objStr.length() > 1) {
+                                          queryString.append(':');
+                                          objStr = objStr.substring(1);
+                                        } 
+                                        queryString.append(URLEncoder.encode(objStr + "", encoding));
                                         queryString.append("&");
                                     } catch (UnsupportedEncodingException ex) {
                                     }

framework/src/play/server/PlayHandler.java

@@ -98,10 +98,10 @@ public void messageReceived(final ChannelHandlerContext ctx, final MessageEvent
 
             // Plain old HttpRequest
             try {
-                final Request request = parseRequest(ctx, nettyRequest, messageEvent);
-
                 final Response response = new Response();
                 Http.Response.current.set(response);
+
+                final Request request = parseRequest(ctx, nettyRequest, messageEvent);
 
                 // Buffered in memory output
                 response.out = new ByteArrayOutputStream();

framework/src/play/templates/FastTags.java

@@ -59,7 +59,28 @@ public static void _verbatim(Map<?, ?> args, Closure body, PrintWriter out, Exec
     }
 
     public static void _jsAction(Map<?, ?> args, Closure body, PrintWriter out, ExecutableTemplate template, int fromLine) {
-		out.println("function(options) {var pattern = '" + args.get("arg").toString().replace("&amp;", "&") + "'; for(var key in options) { pattern = pattern.replace(':'+key, options[key] || ''); } return pattern }");
+        String html = "";
+        String minimize = "";
+        if(args.containsKey("minimize") && Boolean.FALSE.equals(Boolean.valueOf(args.get("minimize").toString()))){
+            minimize = "\n";
+        }
+        html += "function(options) {" + minimize;
+        html += "var pattern = '" + args.get("arg").toString().replace("&amp;", "&") + "';" + minimize;;
+        html += "for(key in options) {" + minimize;;
+        html += "var val = options[key];" + minimize;
+        // Encode URI script
+        if(args.containsKey("encodeURI") && Boolean.TRUE.equals(Boolean.valueOf(args.get("encodeURI").toString()))){ 
+            html += "val = encodeURIComponent(val.replace('&amp;', '&'));" + minimize;
+        }
+        //Custom script
+        if(args.containsKey("customScript")){
+            html += "val = " + args.get("customScript") + minimize;
+        }
+        html += "pattern = pattern.replace(':' + encodeURIComponent(key), val || '');"+ minimize;
+        html += "}" + minimize;;
+        html += "return pattern;" + minimize;;
+        html += "}" + minimize;
+	out.println(html);
     }
 
     public static void _jsRoute(Map<?, ?> args, Closure body, PrintWriter out, ExecutableTemplate template, int fromLine) {

framework/src/play/templates/TemplateLoader.java

@@ -205,7 +205,8 @@ public static Template load(String path) {
      */
     public static List<Template> getAllTemplate() {
         List<Template> res = new ArrayList<Template>();
-        ExecutorService executor = Executors.newFixedThreadPool(9);
+        int cores = Runtime.getRuntime().availableProcessors() + 1;
+        ExecutorService executor = Executors.newFixedThreadPool(cores);
         for (VirtualFile virtualFile : Play.templatesPath) {
             scan(res, virtualFile, executor);
         }

framework/test-src/play/mvc/CookieDataCodecTest.java

@@ -1,15 +1,16 @@
 package play.mvc;
 
-import org.junit.Test;
+import static org.fest.assertions.Assertions.assertThat;
+import static play.mvc.CookieDataCodec.decode;
+import static play.mvc.CookieDataCodec.encode;
 
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;
 
-import static org.fest.assertions.Assertions.assertThat;
-import static play.mvc.CookieDataCodec.decode;
-import static play.mvc.CookieDataCodec.encode;
+import org.junit.Test;
 
 public class CookieDataCodecTest {
 
@@ -113,7 +114,8 @@ public void specifically_exclude_special_cookie_chars() throws UnsupportedEncodi
     private String oldEncoder(final Map<String, String> out) throws UnsupportedEncodingException {
         StringBuilder flash = new StringBuilder();
         for (String key : out.keySet()) {
-            if (out.get(key) == null) continue;
+            if (out.get(key) == null)
+                continue;
             flash.append("\u0000");
             flash.append(key);
             flash.append(":");
@@ -152,4 +154,13 @@ public void decode_values_with_gibberish_in_them() throws UnsupportedEncodingExc
         decode(outMap, data);
         assertThat(outMap.isEmpty());
     }
+
+    @Test
+    public void decode_values_with_dollar_in_them() throws UnsupportedEncodingException {
+        final String data = "%00$Name= %3Avalue%00";
+        final Map<String, String> outMap = new HashMap<String, String>(1);
+        decode(outMap, data);
+        assertThat(outMap.isEmpty());
+    }
+
 }