diff --git a/src/main/java/org/olat/admin/AdminModuleDispatcher.java b/src/main/java/org/olat/admin/AdminModuleDispatcher.java
index ced3c8502198b7220b2c100901eaf1afff4a96ca..9225b47a48859a4f434ba50fd1d84a6fa4f89ea8 100644
--- a/src/main/java/org/olat/admin/AdminModuleDispatcher.java
+++ b/src/main/java/org/olat/admin/AdminModuleDispatcher.java
@@ -47,29 +47,26 @@ import org.olat.core.util.session.UserSessionManager;
*/
public class AdminModuleDispatcher implements Dispatcher {
- private final static String PARAMETER_CMD = "cmd";
- private final static String PARAMETER_MSG = "msg";
- private final static String PARAMETER_MAX_MESSAGE = "maxsessions";
- private final static String PARAMETER_NBR_SESSIONS = "nbrsessions";
- private final static String PARAMETER_SESSIONTIMEOUT ="sec";
+ private static final String PARAMETER_CMD = "cmd";
+ private static final String PARAMETER_MSG = "msg";
+ private static final String PARAMETER_MAX_MESSAGE = "maxsessions";
+ private static final String PARAMETER_NBR_SESSIONS = "nbrsessions";
+ private static final String PARAMETER_SESSIONTIMEOUT ="sec";
- private final static String CMD_SET_MAINTENANCE_MESSAGE = "setmaintenancemessage";
- private final static String CMD_SET_INFO_MESSAGE = "setinfomessage";
- private final static String CMD_SET_LOGIN_BLOCKED = "setloginblocked";
- private final static String CMD_SET_LOGIN_NOT_BLOCKED = "setloginnotblocked";
- private final static String CMD_SET_MAX_SESSIONS = "setmaxsessions";
- private final static String CMD_INVALIDATE_ALL_SESSIONS = "invalidateallsessions";
- private final static String CMD_INVALIDATE_OLDEST_SESSIONS = "invalidateoldestsessions";
- private final static String CMD_SET_SESSIONTIMEOUT = "sessiontimeout";
+ private static final String CMD_SET_MAINTENANCE_MESSAGE = "setmaintenancemessage";
+ private static final String CMD_SET_INFO_MESSAGE = "setinfomessage";
+ private static final String CMD_SET_LOGIN_BLOCKED = "setloginblocked";
+ private static final String CMD_SET_LOGIN_NOT_BLOCKED = "setloginnotblocked";
+ private static final String CMD_SET_MAX_SESSIONS = "setmaxsessions";
+ private static final String CMD_INVALIDATE_ALL_SESSIONS = "invalidateallsessions";
+ private static final String CMD_INVALIDATE_OLDEST_SESSIONS = "invalidateoldestsessions";
+ private static final String CMD_SET_SESSIONTIMEOUT = "sessiontimeout";
-
- /**
- * @see org.olat.core.dispatcher.Dispatcher#execute(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String)
- */
+
@Override
public void execute(HttpServletRequest request, HttpServletResponse response) {
String cmd = request.getParameter(PARAMETER_CMD);
- if (cmd.equalsIgnoreCase(CMD_SET_MAINTENANCE_MESSAGE) || cmd.equalsIgnoreCase(CMD_SET_INFO_MESSAGE)) {
+ if (CMD_SET_MAINTENANCE_MESSAGE.equalsIgnoreCase(cmd) || CMD_SET_INFO_MESSAGE.equalsIgnoreCase(cmd)) {
handleSetMaintenanceOrInfoMessage(request, response, cmd);
} else {
if (CoreSpringFactory.getImpl(AdminModule.class).checkSessionAdminToken(request)) {
@@ -182,7 +179,4 @@ public class AdminModuleDispatcher implements Dispatcher {
DispatcherModule.sendForbidden(request.getPathInfo(), response);
}
}
-
-
-
}
diff --git a/src/main/java/org/olat/core/servlets/StaticServlet.java b/src/main/java/org/olat/core/servlets/StaticServlet.java
index 43b77cdba4a6a288c24c05907ad3ecf8872c75a5..319696843b400967df81ce3b18e1b9a798d1576a 100644
--- a/src/main/java/org/olat/core/servlets/StaticServlet.java
+++ b/src/main/java/org/olat/core/servlets/StaticServlet.java
@@ -107,7 +107,7 @@ public class StaticServlet extends HttpServlet {
// version provided - remove it
int start = pathInfo.indexOf("/", 2);
int end = pathInfo.length();
- if(start <= end) {
+ if(start >= 2 && start <= end) {
String staticRelPath = pathInfo.substring(start, end);
String normalizedRelPath = ServletUtil.normalizePath(staticRelPath);
if (normalizedRelPath == null) {
@@ -170,7 +170,7 @@ public class StaticServlet extends HttpServlet {
}
}
// log as error, file exists but wrongly mapped
- log.warn("File exists but not mapped using version - use StaticMediaDispatch methods to create URL of static files! invalid URI::" + request.getRequestURI());
+ log.warn("File exists but not mapped using version - use StaticMediaDispatch methods to create URL of static files! invalid URI::{}", request.getRequestURI());
}
}
diff --git a/src/main/java/org/olat/modules/webFeed/dispatching/FeedMediaDispatcher.java b/src/main/java/org/olat/modules/webFeed/dispatching/FeedMediaDispatcher.java
index 95c8aa48e143fa30d9719f765fac18131ff957bf..c5da36388038e1f269f641516b52a6ee6cb31379 100644
--- a/src/main/java/org/olat/modules/webFeed/dispatching/FeedMediaDispatcher.java
+++ b/src/main/java/org/olat/modules/webFeed/dispatching/FeedMediaDispatcher.java
@@ -166,7 +166,7 @@ public class FeedMediaDispatcher implements Dispatcher, GenericEventListener {
try {
validatedUriCache.remove(key);
} catch (Exception e) {
- log.info("Cannot remove this key: " + key);
+ log.info("Cannot remove this key: {}", key);
}
}
}
@@ -186,6 +186,11 @@ public class FeedMediaDispatcher implements Dispatcher, GenericEventListener {
} catch(NumberFormatException nfe) {
//
}
+
+ if(requestedPath == null || requestedPath.length() == 0) {
+ DispatcherModule.sendBadRequest(request.getRequestURI(), response);
+ return;
+ }
Path path = null;
try {
diff --git a/src/main/webapp-tomcat/WEB-INF/web.xml b/src/main/webapp-tomcat/WEB-INF/web.xml
index f04c3db9f495858d4ec3cf4ff0a8e9d9fa3c55e3..fdb67bd02e09fb42f345f3ed64c2765f37d891e3 100644
--- a/src/main/webapp-tomcat/WEB-INF/web.xml
+++ b/src/main/webapp-tomcat/WEB-INF/web.xml
@@ -264,4 +264,13 @@
<exception-type>java.lang.Throwable</exception-type>
<location>/errors/error.html</location>
</error-page>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name><strong>restricted methods</strong></web-resource-name>
+ <url-pattern>/*</url-pattern>
+ <http-method>TRACE</http-method>
+ </web-resource-collection>
+ <auth-constraint />
+ </security-constraint>
</web-app>