From b1042873e663dc6ad1f4bf29304f559a2a72abfc Mon Sep 17 00:00:00 2001
From: srosse <none@none>
Date: Fri, 20 Dec 2013 17:09:42 +0100
Subject: [PATCH] OO-919: send a 400 if the action is not a number (instead of
 red screen)

---
 .../org/olat/core/gui/components/Window.java  |  8 +++++
 .../components/form/flexible/impl/Form.java   |  8 +++--
 .../InvalidRequestParameterException.java     | 32 +++++++++++++++++++
 .../dispatcher/AuthenticatedDispatcher.java   |  8 +++++
 .../org/olat/dispatcher/DMZDispatcher.java    | 11 +++++--
 5 files changed, 63 insertions(+), 4 deletions(-)
 create mode 100644 src/main/java/org/olat/core/gui/components/form/flexible/impl/InvalidRequestParameterException.java

diff --git a/src/main/java/org/olat/core/gui/components/Window.java b/src/main/java/org/olat/core/gui/components/Window.java
index 297e6242b99..e0da11f3c4e 100644
--- a/src/main/java/org/olat/core/gui/components/Window.java
+++ b/src/main/java/org/olat/core/gui/components/Window.java
@@ -26,6 +26,7 @@
 
 package org.olat.core.gui.components;
 
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
@@ -43,6 +44,7 @@ import org.olat.core.gui.GUIInterna;
 import org.olat.core.gui.GlobalSettings;
 import org.olat.core.gui.UserRequest;
 import org.olat.core.gui.Windows;
+import org.olat.core.gui.components.form.flexible.impl.InvalidRequestParameterException;
 import org.olat.core.gui.components.htmlheader.jscss.CustomCSS;
 import org.olat.core.gui.components.panel.Panel;
 import org.olat.core.gui.control.ChiefController;
@@ -494,6 +496,12 @@ public class Window extends Container {
 						}
 						
 						wbackofficeImpl.pushCommands(request, response);
+					}  catch (InvalidRequestParameterException e) {
+						try {
+							response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+						} catch (IOException e1) {
+							log.error("An exception occured while handling the invalid request parameter exception...", e1);
+						}
 					} catch (Throwable th) {
 						// in any case, try to inform the user appropriately.
 						// a) error while dispatching (e.g. db problem, npe, ...)
diff --git a/src/main/java/org/olat/core/gui/components/form/flexible/impl/Form.java b/src/main/java/org/olat/core/gui/components/form/flexible/impl/Form.java
index 4d63f9933ca..6fc738ada0e 100644
--- a/src/main/java/org/olat/core/gui/components/form/flexible/impl/Form.java
+++ b/src/main/java/org/olat/core/gui/components/form/flexible/impl/Form.java
@@ -250,8 +250,12 @@ public class Form extends LogDelegator {
 				// see also OLAT-3141
 				implicitFormSubmit = true;
 			}
-		}else{
-			action = Integer.valueOf(dispatchAction);
+		} else {
+			try {
+				action = Integer.valueOf(dispatchAction);
+			} catch(Exception e) {
+				throw new InvalidRequestParameterException();
+			}
 		}
 		hasAlreadyFired = false;
 		isValidAndSubmitted = false;
diff --git a/src/main/java/org/olat/core/gui/components/form/flexible/impl/InvalidRequestParameterException.java b/src/main/java/org/olat/core/gui/components/form/flexible/impl/InvalidRequestParameterException.java
new file mode 100644
index 00000000000..300aae73e42
--- /dev/null
+++ b/src/main/java/org/olat/core/gui/components/form/flexible/impl/InvalidRequestParameterException.java
@@ -0,0 +1,32 @@
+/**
+ * <a href="http://www.openolat.org">
+ * OpenOLAT - Online Learning and Training</a><br>
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); <br>
+ * you may not use this file except in compliance with the License.<br>
+ * You may obtain a copy of the License at the
+ * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a>
+ * <p>
+ * Unless required by applicable law or agreed to in writing,<br>
+ * software distributed under the License is distributed on an "AS IS" BASIS, <br>
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
+ * See the License for the specific language governing permissions and <br>
+ * limitations under the License.
+ * <p>
+ * Initial code contributed and copyrighted by<br>
+ * frentix GmbH, http://www.frentix.com
+ * <p>
+ */
+package org.olat.core.gui.components.form.flexible.impl;
+
+/**
+ * 
+ * Initial date: 20.12.2013<br>
+ * @author srosse, stephane.rosse@frentix.com, http://www.frentix.com
+ *
+ */
+public class InvalidRequestParameterException extends RuntimeException {
+
+	private static final long serialVersionUID = -6658182207801689742L;
+
+}
diff --git a/src/main/java/org/olat/dispatcher/AuthenticatedDispatcher.java b/src/main/java/org/olat/dispatcher/AuthenticatedDispatcher.java
index 3a7901c0e92..e2a1986b594 100644
--- a/src/main/java/org/olat/dispatcher/AuthenticatedDispatcher.java
+++ b/src/main/java/org/olat/dispatcher/AuthenticatedDispatcher.java
@@ -25,6 +25,7 @@
 
 package org.olat.dispatcher;
 
+import java.io.IOException;
 import java.util.Locale;
 
 import javax.servlet.http.HttpServletRequest;
@@ -41,6 +42,7 @@ import org.olat.core.gui.UserRequestImpl;
 import org.olat.core.gui.WindowSettings;
 import org.olat.core.gui.Windows;
 import org.olat.core.gui.components.Window;
+import org.olat.core.gui.components.form.flexible.impl.InvalidRequestParameterException;
 import org.olat.core.gui.control.ChiefController;
 import org.olat.core.gui.control.WindowControl;
 import org.olat.core.gui.exception.MsgFactory;
@@ -197,6 +199,12 @@ public class AuthenticatedDispatcher implements Dispatcher {
 					log.error("Invalid URI in AuthenticatedDispatcher: " + request.getRequestURI());
 				}
 			}
+		} catch (InvalidRequestParameterException e) {
+			try {
+				response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+			} catch (IOException e1) {
+				log.error("An exception occured while handling the invalid request parameter exception...", e1);
+			}
 		} catch (Throwable th) {
 			// Do not log as Warn or Error here, log as ERROR in MsgFactory => ExceptionWindowController throws an OLATRuntimeException 
 			log.debug("handleError in AuthenticatedDispatcher throwable=" + th);
diff --git a/src/main/java/org/olat/dispatcher/DMZDispatcher.java b/src/main/java/org/olat/dispatcher/DMZDispatcher.java
index 8954bb8e7a9..d5e2b5be17f 100644
--- a/src/main/java/org/olat/dispatcher/DMZDispatcher.java
+++ b/src/main/java/org/olat/dispatcher/DMZDispatcher.java
@@ -25,6 +25,7 @@
 
 package org.olat.dispatcher;
 
+import java.io.IOException;
 import java.util.List;
 import java.util.Map;
 
@@ -40,6 +41,7 @@ import org.olat.core.gui.UserRequest;
 import org.olat.core.gui.UserRequestImpl;
 import org.olat.core.gui.Windows;
 import org.olat.core.gui.components.Window;
+import org.olat.core.gui.components.form.flexible.impl.InvalidRequestParameterException;
 import org.olat.core.gui.control.ChiefController;
 import org.olat.core.gui.control.ChiefControllerCreator;
 import org.olat.core.gui.control.generic.dtabs.DTabs;
@@ -274,6 +276,12 @@ public class DMZDispatcher implements Dispatcher {
 				}
 				window.dispatchRequest(ureq);
 			}
+		} catch (InvalidRequestParameterException e) {
+			try {
+				response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+			} catch (IOException e1) {
+				log.error("An exception occured while handling the invalid request parameter exception...", e1);
+			}
 		} catch (Throwable th) {
 			try {
 				ChiefController msgcc = MsgFactory.createMessageChiefController(ureq, th);
@@ -282,8 +290,7 @@ public class DMZDispatcher implements Dispatcher {
 				// do not dispatch (render only), since this is a new Window created as
 				// a result of another window's click.
 			} catch (Throwable t) {
-				log.error("An exception occured while handling the exception...",t);
-
+				log.error("An exception occured while handling the exception...", t);
 			}
 		}
 	}
-- 
GitLab