From d84462213a7cb63180f855ea7d9e7343fb5d4275 Mon Sep 17 00:00:00 2001
From: srosse <stephane.rosse@frentix.com>
Date: Tue, 23 Jul 2019 16:04:03 +0200
Subject: [PATCH] OO-4152: secure transformers, more getter / setters
---
.../institution/InstitutionPortlet.java | 226 ++++++++++++---
.../jms/ClusterAdminControllerCluster.java | 46 +--
.../cluster/jms/_content/nodeinfos.html | 7 -
.../olat/core/util/openxml/OpenXMLUtils.java | 27 +-
.../olat/group/area/BGAreaManagerImpl.java | 5 +-
.../manager/BusinessGroupImportExport.java | 116 ++++----
.../org/olat/group/manager/GroupXStream.java | 269 ++++++++++++++++--
.../qti/render/LocalizedXSLTransformer.java | 11 +-
.../AssessmentTestComponentRenderer.java | 2 +
.../olat/restapi/system/ProcSamplerJob.java | 1 +
.../ShibbolethAuthenticationController.java | 1 +
.../institution/InstitutionPortletTest.java | 4 +-
.../BusinessGroupImportExportXStreamTest.java | 4 +-
13 files changed, 512 insertions(+), 207 deletions(-)
diff --git a/src/main/java/de/bps/olat/portal/institution/InstitutionPortlet.java b/src/main/java/de/bps/olat/portal/institution/InstitutionPortlet.java
index a8d2cca5ba1..0c48a34153a 100644
--- a/src/main/java/de/bps/olat/portal/institution/InstitutionPortlet.java
+++ b/src/main/java/de/bps/olat/portal/institution/InstitutionPortlet.java
@@ -20,6 +20,7 @@
package de.bps.olat.portal.institution;
import java.io.File;
+import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
@@ -39,6 +40,7 @@ import org.olat.core.util.WebappHelper;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.naming.NoNameCoder;
import com.thoughtworks.xstream.io.xml.XppDriver;
+import com.thoughtworks.xstream.security.ExplicitTypePermission;
public class InstitutionPortlet extends AbstractPortlet {
@@ -121,9 +123,7 @@ public class InstitutionPortlet extends AbstractPortlet {
this.cssWrapperClass = cssWrapperClass;
}
- /**
- * @see org.olat.gui.control.generic.portal.Portlet#disposeRunComponent(boolean)
- */
+ @Override
public void disposeRunComponent() {
if (runCtr != null) {
runCtr.dispose();
@@ -143,7 +143,7 @@ public class InstitutionPortlet extends AbstractPortlet {
InstitutionConfiguration configuration = (InstitutionConfiguration)xstream.fromXML(configurationFile);
for(InstitutionPortletEntry institution: configuration.getInstitution()) {
- String shortName = institution.shortname;
+ String shortName = institution.getShortname();
if (shortName == null) {
throw new StartupException("Institution portlet startup: No shortname given for one entry!");
}
@@ -162,9 +162,19 @@ public class InstitutionPortlet extends AbstractPortlet {
public static InstitutionPortletEntry getInstitutionPortletEntry(String institution) {
return (InstitutionPortletEntry) institutions.get(institution);
}
+
public static XStream getInstitutionConfigXStream() {
XStream xstream = new XStream(new XppDriver(new NoNameCoder()));
+
+ XStream.setupDefaultSecurity(xstream);
+ Class<?>[] types = new Class[] {
+ InstitutionConfiguration.class, Value.class, PolymorphLinkElement.class, PolymorphLink.class,
+ InstitutionPortletEntry.class, InstitutionPortletSupervisorEntry.class, InstitutionPortlet.class,
+ ArrayList.class
+ };
+ xstream.addPermission(new ExplicitTypePermission(types));
+
xstream.alias("configuration", InstitutionConfiguration.class);
xstream.addImplicitCollection(InstitutionConfiguration.class, "institution", "institution", InstitutionPortletEntry.class);
xstream.alias("institution", InstitutionPortletEntry.class);
@@ -209,12 +219,12 @@ public class InstitutionPortlet extends AbstractPortlet {
*/
class InstitutionPortletEntry {
- public List<InstitutionPortletSupervisorEntry> supervisor;
- public List<PolymorphLink> polymorphlink;
- public Value logo;
- public Value name;
- public Value url;
- public String shortname;
+ private List<InstitutionPortletSupervisorEntry> supervisor;
+ private List<PolymorphLink> polymorphlink;
+ private Value logo;
+ private Value name;
+ private Value url;
+ private String shortname;
/**
* @param institutionName Name of the inst.
@@ -230,21 +240,21 @@ class InstitutionPortletEntry {
* @return Returns the institutionLogo.
*/
public String getInstitutionLogo() {
- return logo == null ? null : logo.value;
+ return logo == null ? null : logo.getValue();
}
/**
* @return Returns the institutionName.
*/
public String getInstitutionName() {
- return name == null ? null : name.value;
+ return name == null ? null : name.getValue();
}
/**
* @return Returns the institutionUrl.
*/
public String getInstitutionUrl() {
- return url == null ? null : url.value;
+ return url == null ? null : url.getValue();
}
/**
@@ -263,6 +273,54 @@ class InstitutionPortletEntry {
}
return polymorphlink;
}
+
+ public List<InstitutionPortletSupervisorEntry> getSupervisor() {
+ return supervisor;
+ }
+
+ public void setSupervisor(List<InstitutionPortletSupervisorEntry> supervisor) {
+ this.supervisor = supervisor;
+ }
+
+ public List<PolymorphLink> getPolymorphlink() {
+ return polymorphlink;
+ }
+
+ public void setPolymorphlink(List<PolymorphLink> polymorphlink) {
+ this.polymorphlink = polymorphlink;
+ }
+
+ public Value getLogo() {
+ return logo;
+ }
+
+ public void setLogo(Value logo) {
+ this.logo = logo;
+ }
+
+ public Value getName() {
+ return name;
+ }
+
+ public void setName(Value name) {
+ this.name = name;
+ }
+
+ public Value getUrl() {
+ return url;
+ }
+
+ public void setUrl(Value url) {
+ this.url = url;
+ }
+
+ public String getShortname() {
+ return shortname;
+ }
+
+ public void setShortname(String shortname) {
+ this.shortname = shortname;
+ }
}
/**
@@ -275,11 +333,11 @@ class InstitutionPortletEntry {
* @author Lars Eberle (<a href="http://www.bps-system.de/">BPS Bildungsportal Sachsen GmbH</a>)
*/
class InstitutionPortletSupervisorEntry {
- public Value phone;
- public Value email;
- public Value person;
- public Value url;
- public Value blog;
+ private Value phone;
+ private Value email;
+ private Value person;
+ private Value url;
+ private Value blog;
/**
* @param supervisorName The supervisors name.
@@ -293,37 +351,77 @@ class InstitutionPortletSupervisorEntry {
}
public String getSupervisorBlog() {
- return blog == null ? null : blog.value;
+ return blog == null ? null : blog.getValue();
}
/**
* @return Returns the supervisorMail.
*/
public String getSupervisorMail() {
- return email == null ? null : email.value;
+ return email == null ? null : email.getValue();
}
/**
* @return Returns the supervisorPhone.
*/
public String getSupervisorPhone() {
- return phone == null ? null : phone.value;
+ return phone == null ? null : phone.getValue();
}
public String getSupervisorPerson() {
- return person == null ? null : person.value;
+ return person == null ? null : person.getValue();
}
public String getSupervisorURL() {
- return url == null ? null : url.value;
+ return url == null ? null : url.getValue();
+ }
+
+ public Value getPhone() {
+ return phone;
+ }
+
+ public void setPhone(Value phone) {
+ this.phone = phone;
+ }
+
+ public Value getEmail() {
+ return email;
+ }
+
+ public void setEmail(Value email) {
+ this.email = email;
+ }
+
+ public Value getPerson() {
+ return person;
+ }
+
+ public void setPerson(Value person) {
+ this.person = person;
+ }
+
+ public Value getUrl() {
+ return url;
+ }
+
+ public void setUrl(Value url) {
+ this.url = url;
+ }
+
+ public Value getBlog() {
+ return blog;
+ }
+
+ public void setBlog(Value blog) {
+ this.blog = blog;
}
}
class PolymorphLink {
- public String defaultId;
- public String linkType;
- public String linkText;
- public List<PolymorphLinkElement> element;
+ private String defaultId;
+ private String linkType;
+ private String linkText;
+ private List<PolymorphLinkElement> element;
protected String getDefaultLink() {
return this.defaultId;
@@ -368,12 +466,36 @@ class PolymorphLink {
}
protected boolean hasConditions() {
- return (element != null && element.size() > 0);
+ return (element != null && !element.isEmpty());
}
protected String getLinkText() {
return linkText;
}
+
+ public String getDefaultId() {
+ return defaultId;
+ }
+
+ public void setDefaultId(String defaultId) {
+ this.defaultId = defaultId;
+ }
+
+ public List<PolymorphLinkElement> getElement() {
+ return element;
+ }
+
+ public void setElement(List<PolymorphLinkElement> element) {
+ this.element = element;
+ }
+
+ public void setLinkType(String linkType) {
+ this.linkType = linkType;
+ }
+
+ public void setLinkText(String linkText) {
+ this.linkText = linkText;
+ }
}
class PolymorphLinkElement {
@@ -381,16 +503,16 @@ class PolymorphLinkElement {
protected static final String STARTS_WITH = "starts_with";
protected static final String CONTAINS = "contains";
- public String id;
- public String cond;
- public String value;
- public String attribute;
+ private String id;
+ private String cond;
+ private String value;
+ private String attribute;
public PolymorphLinkElement() {
//
}
- protected int getAttrib() {
+ public int getAttrib() {
if ("orgunit".equals(attribute)) {
return 0;
} else if ("studysubject".equals(attribute)) {
@@ -399,11 +521,15 @@ class PolymorphLinkElement {
return -1;
}
- protected String getValue() {
+ public String getValue() {
return value;
}
+
+ public void setValue(String value) {
+ this.value = value;
+ }
- protected int getCondition() {
+ public int getCondition() {
if (STARTS_WITH.equals(cond)) {
return 0;
} else if (EQUALS.equals(cond)) {
@@ -414,13 +540,33 @@ class PolymorphLinkElement {
return -1;
}
- protected String getId() {
+ public String getId() {
return id;
}
+
+ public void setId(String id) {
+ this.id = id;
+ }
+
+ public String getCond() {
+ return cond;
+ }
+
+ public void setCond(String cond) {
+ this.cond = cond;
+ }
+
+ public String getAttribute() {
+ return attribute;
+ }
+
+ public void setAttribute(String attribute) {
+ this.attribute = attribute;
+ }
}
class Value {
- public String value;
+ private String value;
public String getValue() {
return value;
@@ -437,7 +583,7 @@ class Value {
}
class InstitutionConfiguration {
- public List<InstitutionPortletEntry> institution;
+ private List<InstitutionPortletEntry> institution;
public List<InstitutionPortletEntry> getInstitution() {
if(institution == null) {
@@ -445,4 +591,8 @@ class InstitutionConfiguration {
}
return institution;
}
+
+ public void setInstitution(List<InstitutionPortletEntry> institution) {
+ this.institution = institution;
+ }
}
diff --git a/src/main/java/org/olat/commons/coordinate/cluster/jms/ClusterAdminControllerCluster.java b/src/main/java/org/olat/commons/coordinate/cluster/jms/ClusterAdminControllerCluster.java
index 2e6d19826ca..480163c45cb 100644
--- a/src/main/java/org/olat/commons/coordinate/cluster/jms/ClusterAdminControllerCluster.java
+++ b/src/main/java/org/olat/commons/coordinate/cluster/jms/ClusterAdminControllerCluster.java
@@ -31,10 +31,6 @@ import java.util.Date;
import java.util.List;
import java.util.Map;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
import org.olat.admin.user.UserSearchController;
import org.olat.basesecurity.events.SingleIdentityChosenEvent;
import org.olat.commons.coordinate.cluster.ClusterCoordinator;
@@ -45,7 +41,6 @@ import org.olat.core.gui.components.Component;
import org.olat.core.gui.components.htmlheader.jscss.JSAndCSSComponent;
import org.olat.core.gui.components.link.Link;
import org.olat.core.gui.components.link.LinkFactory;
-import org.olat.core.gui.components.panel.OncePanel;
import org.olat.core.gui.components.panel.Panel;
import org.olat.core.gui.components.velocity.VelocityContainer;
import org.olat.core.gui.control.Controller;
@@ -55,7 +50,6 @@ import org.olat.core.gui.control.controller.BasicController;
import org.olat.core.id.Identity;
import org.olat.core.id.OLATResourceable;
import org.olat.core.util.Formatter;
-import org.olat.core.util.WebappHelper;
import org.olat.core.util.cache.CacheWrapper;
import org.olat.core.util.coordinate.Coordinator;
import org.olat.core.util.coordinate.CoordinatorManager;
@@ -272,6 +266,7 @@ public class ClusterAdminControllerCluster extends BasicController {
long start = System.nanoTime();
for (int i = 0; i < cnt; i++) {
CoordinatorManager.getInstance().getCoordinator().getSyncer().doInSync(ORES_TEST, new SyncerExecutor(){
+ @Override
public void execute() {
// empty
}});
@@ -287,35 +282,6 @@ public class ClusterAdminControllerCluster extends BasicController {
usc = new UserSearchController(ureq, getWindowControl(), true);
listenTo(usc);
getWindowControl().pushAsModalDialog(usc.getInitialComponent());
- } else if ((source == nodeInfoVc) && (event.getCommand().equals("switchToNode"))) {
- String nodeIdStr = ureq.getHttpReq().getParameter("nodeId");
- if (nodeIdStr.length()==1) {
- nodeIdStr = "0"+nodeIdStr;
- }
- Cookie[] cookies = ureq.getHttpReq().getCookies();
- for (int i = 0; i < cookies.length; i++) {
- Cookie cookie = cookies[i];
- if ("JSESSIONID".equals(cookie.getName())) {
- String redirectedButInvalidSessionId = cookie.getValue();
- redirectedButInvalidSessionId = redirectedButInvalidSessionId.substring(0, redirectedButInvalidSessionId.length()-2) + nodeIdStr;
- logInfo("redirecting session to node "+nodeIdStr+", new sessionid="+redirectedButInvalidSessionId);
- cookie.setValue(redirectedButInvalidSessionId);
- replaceCookie(ureq.getHttpReq(), ureq.getHttpResp(), cookie);
-
- // OLAT-5165: make sure we can always bypass the dmz reject mechanism (for 5min that is)
- Cookie newCookie = new Cookie("bypassdmzreject", String.valueOf(System.currentTimeMillis()));
- newCookie.setMaxAge(5 * 60); // 5min lifetime
- newCookie.setPath(WebappHelper.getServletContextPath());
- newCookie.setSecure(ureq.getHttpReq().isSecure());
- newCookie.setComment("cookie allowing olat admin users to bypass dmz rejects");
- ureq.getHttpResp().addCookie(newCookie);
-
- OncePanel oncePanel = new OncePanel("refresh");
- oncePanel.setContent(createVelocityContainer("refresh"));
- mainVc.put("refresh", oncePanel);
- break;
- }
- }
} else if (source == toggleStartStop) {
clusBus.resetStats();
updatePerfInfos();
@@ -324,12 +290,8 @@ public class ClusterAdminControllerCluster extends BasicController {
updatePerfInfos();
}
}
-
- private void replaceCookie(HttpServletRequest request, HttpServletResponse response, Cookie cookie) {
- // for a generalized version of this, use org/apache/tomcat/util/http/ServerCookie.java
- response.setHeader("Set-Cookie", cookie.getName()+"="+cookie.getValue()+"; Path="+request.getContextPath()+(request.isSecure()?"":"; Secure"));
- }
+ @Override
public void event(UserRequest ureq, Controller source, Event event) {
if (source == usc) {
getWindowControl().pop();
@@ -343,7 +305,7 @@ public class ClusterAdminControllerCluster extends BasicController {
}
}
- void sleep (int milis) {
+ private void sleep (int milis) {
try {
Thread.sleep(milis);
} catch (InterruptedException e) {
@@ -351,7 +313,7 @@ public class ClusterAdminControllerCluster extends BasicController {
}
}
- void updateCacheInfo() {
+ private void updateCacheInfo() {
CacheWrapper<String,String> cw = CoordinatorManager.getInstance().getCoordinator().getCacher().getCache(this.getClass().getSimpleName(), "cachetest");
Object val = cw.get("akey");
cachetest.contextPut("cacheval", val==null? "-null-": val);
diff --git a/src/main/java/org/olat/commons/coordinate/cluster/jms/_content/nodeinfos.html b/src/main/java/org/olat/commons/coordinate/cluster/jms/_content/nodeinfos.html
index 4a703bd574a..729be356cad 100644
--- a/src/main/java/org/olat/commons/coordinate/cluster/jms/_content/nodeinfos.html
+++ b/src/main/java/org/olat/commons/coordinate/cluster/jms/_content/nodeinfos.html
@@ -6,19 +6,12 @@
#else
<legend>Node: $stat.nodeId</legend>
#end
-
<table class="table table-condensed table-striped">
<tr>
<td>Startup:</td><td>$!stat.config.startupTime</td>
<td>Messages received: </td><td>$stat.numOfReceivedMessages</td>
<td>Latest received Id: </td><td>$stat.latestReceivedMsgId</td>
<td>Count of missed messages: </td><td>$stat.numOfMissedMsgs</td>
-
-#if ($thisNodeId==$stat.nodeId)
- <td>$r.translate("you.are.on.this.node")</td>
-#else
- <td class="text-left"><a $r.hrefAndOnclick("switchToNode",false,false,"nodeId",$stat.nodeId)>$r.translate("switch.to.node")</a></td>
-#end
</tr>
</table>
</fieldset>
diff --git a/src/main/java/org/olat/core/util/openxml/OpenXMLUtils.java b/src/main/java/org/olat/core/util/openxml/OpenXMLUtils.java
index b90a86c0899..59cba7c9a72 100644
--- a/src/main/java/org/olat/core/util/openxml/OpenXMLUtils.java
+++ b/src/main/java/org/olat/core/util/openxml/OpenXMLUtils.java
@@ -36,15 +36,14 @@ import javax.xml.stream.XMLStreamWriter;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Result;
import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.TransformerFactoryConfigurationError;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
-import org.olat.core.commons.services.image.Size;
import org.apache.logging.log4j.Logger;
+import org.olat.core.commons.services.image.Size;
import org.olat.core.logging.Tracing;
import org.olat.core.util.StringHelper;
import org.olat.core.util.io.ShieldOutputStream;
@@ -172,13 +171,7 @@ public class OpenXMLUtils {
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(in);
return doc;
- } catch (ParserConfigurationException e) {
- log.error("", e);
- return null;
- } catch (IOException e) {
- log.error("", e);
- return null;
- } catch (SAXException e) {
+ } catch (ParserConfigurationException | IOException | SAXException e) {
log.error("", e);
return null;
}
@@ -194,13 +187,7 @@ public class OpenXMLUtils {
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(new InputSource(new StringReader(in)));
return doc;
- } catch (ParserConfigurationException e) {
- log.error("", e);
- return null;
- } catch (IOException e) {
- log.error("", e);
- return null;
- } catch (SAXException e) {
+ } catch (ParserConfigurationException | IOException | SAXException e) {
log.error("", e);
return null;
}
@@ -210,6 +197,7 @@ public class OpenXMLUtils {
try {
// Use a Transformer for output
TransformerFactory tFactory = TransformerFactory.newInstance();
+ tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Transformer transformer = tFactory.newTransformer();
if(indent) {
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
@@ -219,13 +207,8 @@ public class OpenXMLUtils {
DOMSource source = new DOMSource(document);
Result result = new StreamResult(out);
transformer.transform(source, result);
- } catch (TransformerConfigurationException e) {
- log.error("", e);
- } catch (TransformerFactoryConfigurationError e) {
- log.error("", e);
- } catch (TransformerException e) {
+ } catch (TransformerFactoryConfigurationError | TransformerException e) {
log.error("", e);
}
}
-
}
diff --git a/src/main/java/org/olat/group/area/BGAreaManagerImpl.java b/src/main/java/org/olat/group/area/BGAreaManagerImpl.java
index 85004efe32d..1422d3eeccb 100644
--- a/src/main/java/org/olat/group/area/BGAreaManagerImpl.java
+++ b/src/main/java/org/olat/group/area/BGAreaManagerImpl.java
@@ -151,7 +151,7 @@ public class BGAreaManagerImpl implements BGAreaManager {
@Override
public void addBGToBGArea(BusinessGroup group, BGArea area) {
BGtoAreaRelation bgAreaRel = new BGtoAreaRelationImpl(area, group);
- dbInstance.saveObject(bgAreaRel);
+ dbInstance.getCurrentEntityManager().persist(bgAreaRel);
}
@Override
@@ -300,9 +300,6 @@ public class BGAreaManagerImpl implements BGAreaManager {
return count.intValue();
}
- /**
- * @see org.olat.group.area.BGAreaManager#findBGAreasOfBGContext(org.olat.group.context.BGContext)
- */
@Override
public List<BGArea> findBGAreasInContext(OLATResource resource) {
StringBuilder sb = new StringBuilder();
diff --git a/src/main/java/org/olat/group/manager/BusinessGroupImportExport.java b/src/main/java/org/olat/group/manager/BusinessGroupImportExport.java
index c55bed7a1d0..aab622da7f6 100644
--- a/src/main/java/org/olat/group/manager/BusinessGroupImportExport.java
+++ b/src/main/java/org/olat/group/manager/BusinessGroupImportExport.java
@@ -21,7 +21,6 @@ package org.olat.group.manager;
import java.io.File;
import java.io.FileOutputStream;
-import java.io.IOException;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.Collections;
@@ -36,7 +35,6 @@ import org.olat.core.commons.persistence.DB;
import org.olat.core.logging.AssertException;
import org.olat.core.logging.OLATRuntimeException;
import org.olat.core.logging.Tracing;
-import org.olat.core.util.FileUtils;
import org.olat.core.util.StringHelper;
import org.olat.group.BusinessGroup;
import org.olat.group.BusinessGroupModule;
@@ -57,7 +55,7 @@ public class BusinessGroupImportExport {
private static final Logger log = Tracing.createLoggerFor(BusinessGroupImportExport.class);
- private final GroupXStream xstream = new GroupXStream();
+ private static final GroupXStream xstream = new GroupXStream();
private final DB dbInstance;
private final BGAreaManager areaManager;
@@ -83,9 +81,9 @@ public class BusinessGroupImportExport {
root.getAreas().setGroups(new ArrayList<Area>());
for (BGArea area : areas) {
Area newArea = new Area();
- newArea.key = area.getKey();
- newArea.name = area.getName();
- newArea.description = Collections.singletonList(area.getDescription());
+ newArea.setKey(area.getKey());
+ newArea.setName(area.getName());
+ newArea.setDescription(Collections.singletonList(area.getDescription()));
root.getAreas().getGroups().add(newArea);
}
@@ -102,22 +100,22 @@ public class BusinessGroupImportExport {
private Group exportGroup(File fExportFile, BusinessGroup group, String groupName, boolean runtimeDatas) {
Group newGroup = new Group();
- newGroup.key = group.getKey();
- newGroup.name = StringHelper.containsNonWhitespace(groupName) ? groupName : group.getName();
+ newGroup.setKey(group.getKey());
+ newGroup.setName(StringHelper.containsNonWhitespace(groupName) ? groupName : group.getName());
if (group.getMinParticipants() != null) {
- newGroup.minParticipants = group.getMinParticipants();
+ newGroup.setMinParticipants(group.getMinParticipants());
}
if (group.getMaxParticipants() != null) {
- newGroup.maxParticipants = group.getMaxParticipants();
+ newGroup.setMaxParticipants(group.getMaxParticipants());
}
if (group.getWaitingListEnabled() != null) {
- newGroup.waitingList = group.getWaitingListEnabled();
+ newGroup.setWaitingList(group.getWaitingListEnabled());
}
if (group.getAutoCloseRanksEnabled() != null) {
- newGroup.autoCloseRanks = group.getAutoCloseRanksEnabled();
+ newGroup.setAutoCloseRanks(group.getAutoCloseRanksEnabled());
}
if(StringHelper.containsNonWhitespace(group.getDescription())) {
- newGroup.description = Collections.singletonList(group.getDescription());
+ newGroup.setDescription(Collections.singletonList(group.getDescription()));
}
// collab tools
@@ -134,20 +132,19 @@ public class BusinessGroupImportExport {
log.error("", e);
}
}
- newGroup.tools = toolsConfig;
+ newGroup.setTools(toolsConfig);
Long calendarAccess = ct.lookupCalendarAccess();
if (calendarAccess != null) {
- newGroup.calendarAccess = calendarAccess;
+ newGroup.setCalendarAccess(calendarAccess);
}
- //fxdiff VCRP-8: collaboration tools folder access control
Long folderAccess = ct.lookupFolderAccess();
if(folderAccess != null) {
- newGroup.folderAccess = folderAccess;
+ newGroup.setFolderAccess(folderAccess);
}
String info = ct.lookupNews();
if (info != null && !info.trim().equals("")) {
- newGroup.info = info.trim();
+ newGroup.setInfo(info.trim());
}
log.debug("fExportFile.getParent()=" + fExportFile.getParent());
@@ -156,36 +153,27 @@ public class BusinessGroupImportExport {
}
// export membership
List<BGArea> bgAreas = areaManager.findBGAreasOfBusinessGroup(group);
- newGroup.areaRelations = new ArrayList<String>();
+ newGroup.setAreaRelations(new ArrayList<String>());
for (BGArea areaRelation : bgAreas) {
- newGroup.areaRelations.add(areaRelation.getName());
+ newGroup.getAreaRelations().add(areaRelation.getName());
}
// export properties
boolean showOwners = group.isOwnersVisibleIntern();
boolean showParticipants = group.isParticipantsVisibleIntern();
boolean showWaitingList = group.isWaitingListVisibleIntern();
- newGroup.showOwners = showOwners;
- newGroup.showParticipants = showParticipants;
- newGroup.showWaitingList = showWaitingList;
+ newGroup.setShowOwners(showOwners);
+ newGroup.setShowParticipants(showParticipants);
+ newGroup.setShowWaitingList(showWaitingList);
return newGroup;
}
private void saveGroupConfiguration(File fExportFile, OLATGroupExport root) {
- FileOutputStream fOut = null;
- try {
- fOut = new FileOutputStream(fExportFile);
+ try(FileOutputStream fOut = new FileOutputStream(fExportFile)) {
xstream.toXML(root, fOut);
- } catch (IOException ioe) {
- throw new OLATRuntimeException(
- "Error writing group configuration during group export.",
- ioe);
} catch (Exception cfe) {
- throw new OLATRuntimeException(
- "Error writing group configuration during group export.",
- cfe);
- } finally {
- FileUtils.closeSafely(fOut);
+ log.error("", cfe);
+ throw new OLATRuntimeException("Error writing group configuration during group export.", cfe);
}
}
@@ -213,11 +201,11 @@ public class BusinessGroupImportExport {
int dbCount = 0;
if (groupConfig.getAreas() != null && groupConfig.getAreas().getGroups() != null) {
for (Area area : groupConfig.getAreas().getGroups()) {
- String areaName = area.name;
- String areaDesc = (area.description != null && !area.description.isEmpty()) ? area.description.get(0) : "";
+ String areaName = area.getName();
+ String areaDesc = (area.getDescription() != null && !area.getDescription().isEmpty()) ? area.getDescription().get(0) : "";
BGArea newArea = areaManager.createAndPersistBGArea(areaName, areaDesc, re.getOlatResource());
if(areaSet.add(newArea)) {
- env.getAreas().add(new BGAreaReference(newArea, area.key, area.name));
+ env.getAreas().add(new BGAreaReference(newArea, area.getKey(), area.getName()));
}
if(dbCount++ % 25 == 0) {
@@ -230,47 +218,49 @@ public class BusinessGroupImportExport {
if (groupConfig.getGroups() != null && groupConfig.getGroups().getGroups() != null) {
for (Group group : groupConfig.getGroups().getGroups()) {
// create group
- String groupName = group.name;
- String groupDesc = (group.description != null && !group.description.isEmpty()) ? group.description.get(0) : "";
+ String groupName = group.getName();
+ String groupDesc = (group.getDescription() != null && !group.getDescription().isEmpty()) ? group.getDescription().get(0) : "";
// get min/max participants
- int groupMinParticipants = group.minParticipants == null ? -1 : group.minParticipants.intValue();
- int groupMaxParticipants = group.maxParticipants == null ? -1 : group.maxParticipants.intValue();
+ int groupMinParticipants = group.getMinParticipants() == null ? -1 : group.getMinParticipants().intValue();
+ int groupMaxParticipants = group.getMaxParticipants() == null ? -1 : group.getMaxParticipants().intValue();
// waiting list configuration
boolean waitingList = false;
- if (group.waitingList != null) {
- waitingList = group.waitingList.booleanValue();
+ if (group.getWaitingList() != null) {
+ waitingList = group.getWaitingList().booleanValue();
}
boolean enableAutoCloseRanks = false;
- if (group.autoCloseRanks != null) {
- enableAutoCloseRanks = group.autoCloseRanks.booleanValue();
+ if (group.getAutoCloseRanks() != null) {
+ enableAutoCloseRanks = group.getAutoCloseRanks().booleanValue();
}
// get properties
boolean showOwners = true;
boolean showParticipants = true;
boolean showWaitingList = true;
- if (group.showOwners != null) {
- showOwners = group.showOwners;
+ if (group.getShowOwners() != null) {
+ showOwners = group.getShowOwners().booleanValue();
}
- if (group.showParticipants != null) {
- showParticipants = group.showParticipants;
+ if (group.getShowParticipants() != null) {
+ showParticipants = group.getShowParticipants().booleanValue();
}
- if (group.showWaitingList != null) {
- showWaitingList = group.showWaitingList;
+ if (group.getShowWaitingList() != null) {
+ showWaitingList = group.getShowWaitingList().booleanValue();
}
BusinessGroup newGroup = businessGroupService.createBusinessGroup(null, groupName, groupDesc, groupMinParticipants, groupMaxParticipants, waitingList, enableAutoCloseRanks, re);
+ dbInstance.commit();
//map the group
- env.getGroups().add(new BusinessGroupReference(newGroup, group.key, group.name));
+ env.getGroups().add(new BusinessGroupReference(newGroup, group.getKey(), group.getName()));
// get tools config
String[] availableTools = CollaborationToolsFactory.getInstance().getAvailableTools().clone();
- CollabTools toolsConfig = group.tools;
+ CollabTools toolsConfig = group.getTools();
CollaborationTools ct = CollaborationToolsFactory.getInstance().getOrCreateCollaborationTools(newGroup);
for (int i = 0; i < availableTools.length; i++) {
try {
- Field field = toolsConfig.getClass().getField(availableTools[i]);
+ Field field = toolsConfig.getClass().getDeclaredField(availableTools[i]);
+ field.setAccessible(true);
Boolean val = field.getBoolean(toolsConfig);
if (val != null) {
ct.setToolEnabled(availableTools[i], val);
@@ -281,19 +271,19 @@ public class BusinessGroupImportExport {
log.error("", e);
}
}
- if (group.calendarAccess != null) {
- Long calendarAccess = group.calendarAccess;
+ if (group.getCalendarAccess() != null) {
+ Long calendarAccess = group.getCalendarAccess();
ct.saveCalendarAccess(calendarAccess);
}
- if(group.folderAccess != null) {
- ct.saveFolderAccess(group.folderAccess);
+ if(group.getFolderAccess() != null) {
+ ct.saveFolderAccess(group.getFolderAccess());
}
- if (group.info != null) {
- ct.saveNews(group.info);
+ if (group.getInfo() != null) {
+ ct.saveNews(group.getInfo());
}
// get memberships
- List<String> memberships = group.areaRelations;
+ List<String> memberships = group.getAreaRelations();
if(memberships != null && memberships.size() > 0) {
Set<String> uniqueMemberships = new HashSet<>(memberships);
for (String membership : uniqueMemberships) {
@@ -311,6 +301,8 @@ public class BusinessGroupImportExport {
if(dbCount++ % 3 == 0) {
dbInstance.commitAndCloseSession();
+ } else {
+ dbInstance.commit();
}
}
}
diff --git a/src/main/java/org/olat/group/manager/GroupXStream.java b/src/main/java/org/olat/group/manager/GroupXStream.java
index a5e19bbbf4f..cf5c5311f2a 100644
--- a/src/main/java/org/olat/group/manager/GroupXStream.java
+++ b/src/main/java/org/olat/group/manager/GroupXStream.java
@@ -28,6 +28,7 @@ import java.util.List;
import org.olat.core.util.xml.XStreamHelper;
import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.security.ExplicitTypePermission;
/**
*
@@ -45,6 +46,14 @@ public class GroupXStream {
public GroupXStream() {
xstream = XStreamHelper.createXStreamInstance();
+
+ XStream.setupDefaultSecurity(xstream);
+ Class<?>[] types = new Class[] {
+ CollabTools.class, Group.class, Area.class, AreaCollection.class, GroupCollection.class,
+ OLATGroupExport.class, ArrayList.class
+ };
+ xstream.addPermission(new ExplicitTypePermission(types));
+
xstream.alias("OLATGroupExport", OLATGroupExport.class);
xstream.alias("AreaCollection", AreaCollection.class);
xstream.alias("GroupCollection", GroupCollection.class);
@@ -153,36 +162,244 @@ class GroupCollection {
}
class Area {
- public Long key;
- public String name;
- public List<String> description;
+ private Long key;
+ private String name;
+ private List<String> description;
+
+ public Long getKey() {
+ return key;
+ }
+
+ public void setKey(Long key) {
+ this.key = key;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ public List<String> getDescription() {
+ return description;
+ }
+
+ public void setDescription(List<String> description) {
+ this.description = description;
+ }
}
class Group {
- public Long key;
- public String name;
- public Integer minParticipants;
- public Integer maxParticipants;
- public Boolean waitingList;
- public Boolean autoCloseRanks;
- public Boolean showOwners;
- public Boolean showParticipants;
- public Boolean showWaitingList;
- public List<String> description;
- public CollabTools tools;
- public List<String> areaRelations;
- public Long calendarAccess;
- public String info;
- public Long folderAccess;
+ private Long key;
+ private String name;
+ private Integer minParticipants;
+ private Integer maxParticipants;
+ private Boolean waitingList;
+ private Boolean autoCloseRanks;
+ private Boolean showOwners;
+ private Boolean showParticipants;
+ private Boolean showWaitingList;
+ private List<String> description;
+ private CollabTools tools;
+ private List<String> areaRelations;
+ private Long calendarAccess;
+ private String info;
+ private Long folderAccess;
+
+ public Long getKey() {
+ return key;
+ }
+
+ public void setKey(Long key) {
+ this.key = key;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ public Integer getMinParticipants() {
+ return minParticipants;
+ }
+
+ public void setMinParticipants(Integer minParticipants) {
+ this.minParticipants = minParticipants;
+ }
+
+ public Integer getMaxParticipants() {
+ return maxParticipants;
+ }
+
+ public void setMaxParticipants(Integer maxParticipants) {
+ this.maxParticipants = maxParticipants;
+ }
+
+ public Boolean getWaitingList() {
+ return waitingList;
+ }
+
+ public void setWaitingList(Boolean waitingList) {
+ this.waitingList = waitingList;
+ }
+
+ public Boolean getAutoCloseRanks() {
+ return autoCloseRanks;
+ }
+
+ public void setAutoCloseRanks(Boolean autoCloseRanks) {
+ this.autoCloseRanks = autoCloseRanks;
+ }
+
+ public Boolean getShowOwners() {
+ return showOwners;
+ }
+
+ public void setShowOwners(Boolean showOwners) {
+ this.showOwners = showOwners;
+ }
+
+ public Boolean getShowParticipants() {
+ return showParticipants;
+ }
+
+ public void setShowParticipants(Boolean showParticipants) {
+ this.showParticipants = showParticipants;
+ }
+
+ public Boolean getShowWaitingList() {
+ return showWaitingList;
+ }
+
+ public void setShowWaitingList(Boolean showWaitingList) {
+ this.showWaitingList = showWaitingList;
+ }
+
+ public List<String> getDescription() {
+ return description;
+ }
+
+ public void setDescription(List<String> description) {
+ this.description = description;
+ }
+
+ public CollabTools getTools() {
+ return tools;
+ }
+
+ public void setTools(CollabTools tools) {
+ this.tools = tools;
+ }
+
+ public List<String> getAreaRelations() {
+ return areaRelations;
+ }
+
+ public void setAreaRelations(List<String> areaRelations) {
+ this.areaRelations = areaRelations;
+ }
+
+ public Long getCalendarAccess() {
+ return calendarAccess;
+ }
+
+ public void setCalendarAccess(Long calendarAccess) {
+ this.calendarAccess = calendarAccess;
+ }
+
+ public String getInfo() {
+ return info;
+ }
+
+ public void setInfo(String info) {
+ this.info = info;
+ }
+
+ public Long getFolderAccess() {
+ return folderAccess;
+ }
+
+ public void setFolderAccess(Long folderAccess) {
+ this.folderAccess = folderAccess;
+ }
}
class CollabTools {
- public boolean hasNews;
- public boolean hasContactForm;
- public boolean hasCalendar;
- public boolean hasFolder;
- public boolean hasForum;
- public boolean hasChat;
- public boolean hasWiki;
- public boolean hasPortfolio;
+ private boolean hasNews;
+ private boolean hasContactForm;
+ private boolean hasCalendar;
+ private boolean hasFolder;
+ private boolean hasForum;
+ private boolean hasChat;
+ private boolean hasWiki;
+ private boolean hasPortfolio;
+
+ public boolean isHasNews() {
+ return hasNews;
+ }
+
+ public void setHasNews(boolean hasNews) {
+ this.hasNews = hasNews;
+ }
+
+ public boolean isHasContactForm() {
+ return hasContactForm;
+ }
+
+ public void setHasContactForm(boolean hasContactForm) {
+ this.hasContactForm = hasContactForm;
+ }
+
+ public boolean isHasCalendar() {
+ return hasCalendar;
+ }
+
+ public void setHasCalendar(boolean hasCalendar) {
+ this.hasCalendar = hasCalendar;
+ }
+
+ public boolean isHasFolder() {
+ return hasFolder;
+ }
+
+ public void setHasFolder(boolean hasFolder) {
+ this.hasFolder = hasFolder;
+ }
+
+ public boolean isHasForum() {
+ return hasForum;
+ }
+
+ public void setHasForum(boolean hasForum) {
+ this.hasForum = hasForum;
+ }
+
+ public boolean isHasChat() {
+ return hasChat;
+ }
+
+ public void setHasChat(boolean hasChat) {
+ this.hasChat = hasChat;
+ }
+
+ public boolean isHasWiki() {
+ return hasWiki;
+ }
+
+ public void setHasWiki(boolean hasWiki) {
+ this.hasWiki = hasWiki;
+ }
+
+ public boolean isHasPortfolio() {
+ return hasPortfolio;
+ }
+
+ public void setHasPortfolio(boolean hasPortfolio) {
+ this.hasPortfolio = hasPortfolio;
+ }
}
\ No newline at end of file
diff --git a/src/main/java/org/olat/ims/qti/render/LocalizedXSLTransformer.java b/src/main/java/org/olat/ims/qti/render/LocalizedXSLTransformer.java
index 6300ea86edf..a48f4730729 100644
--- a/src/main/java/org/olat/ims/qti/render/LocalizedXSLTransformer.java
+++ b/src/main/java/org/olat/ims/qti/render/LocalizedXSLTransformer.java
@@ -206,9 +206,16 @@ public class LocalizedXSLTransformer {
TransformerFactory tfactory = null;
try {
tfactory = TransformerFactory.newInstance("com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl", null);
- } catch (TransformerFactoryConfigurationError e) {
+ tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
+ } catch (TransformerFactoryConfigurationError | TransformerConfigurationException e) {
log.error("", e);
- tfactory = TransformerFactory.newInstance();
+ try {
+ tfactory = TransformerFactory.newInstance();
+ tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (TransformerConfigurationException | TransformerFactoryConfigurationError e1) {
+ log.error("", e);
+ }
}
return tfactory;
}
diff --git a/src/main/java/org/olat/ims/qti21/ui/components/AssessmentTestComponentRenderer.java b/src/main/java/org/olat/ims/qti21/ui/components/AssessmentTestComponentRenderer.java
index 6926b1a3733..cfe52478664 100644
--- a/src/main/java/org/olat/ims/qti21/ui/components/AssessmentTestComponentRenderer.java
+++ b/src/main/java/org/olat/ims/qti21/ui/components/AssessmentTestComponentRenderer.java
@@ -29,6 +29,7 @@ import java.util.ArrayList;
import java.util.Date;
import java.util.List;
+import javax.xml.XMLConstants;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
@@ -820,6 +821,7 @@ public class AssessmentTestComponentRenderer extends AssessmentObjectComponentRe
public static void printDocument(Element doc, OutputStream out) {
try {
TransformerFactory tf = TransformerFactory.newInstance();
+ tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Transformer transformer = tf.newTransformer();
transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "no");
transformer.setOutputProperty(OutputKeys.METHOD, "xml");
diff --git a/src/main/java/org/olat/restapi/system/ProcSamplerJob.java b/src/main/java/org/olat/restapi/system/ProcSamplerJob.java
index 4f8bbb186bd..5f90ccfefe6 100644
--- a/src/main/java/org/olat/restapi/system/ProcSamplerJob.java
+++ b/src/main/java/org/olat/restapi/system/ProcSamplerJob.java
@@ -134,6 +134,7 @@ public class ProcSamplerJob extends QuartzJobBean {
// Use a Transformer for output
try(OutputStream out = new FileOutputStream(xmlFile)) {
TransformerFactory tFactory = TransformerFactory.newInstance();
+ tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Transformer transformer = tFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.transform(new DOMSource(doc), new StreamResult(out));
diff --git a/src/main/java/org/olat/shibboleth/ShibbolethAuthenticationController.java b/src/main/java/org/olat/shibboleth/ShibbolethAuthenticationController.java
index f1544c0a753..a830b0a1852 100644
--- a/src/main/java/org/olat/shibboleth/ShibbolethAuthenticationController.java
+++ b/src/main/java/org/olat/shibboleth/ShibbolethAuthenticationController.java
@@ -194,6 +194,7 @@ public class ShibbolethAuthenticationController extends AuthenticationController
Cookie cookie = null;
try {
cookie = new Cookie(IDP_HOMESITE_COOKIE, URLEncoder.encode(homeSite, "utf-8"));
+ cookie.setHttpOnly(true);
} catch (UnsupportedEncodingException e) {/* utf-8 is always present */}
cookie.setMaxAge(100 * 24 * 60 * 60); // 100 days lifetime
cookie.setPath(WebappHelper.getServletContextPath());
diff --git a/src/test/java/de/bps/olat/portal/institution/InstitutionPortletTest.java b/src/test/java/de/bps/olat/portal/institution/InstitutionPortletTest.java
index c16412866d3..f3de629dd82 100644
--- a/src/test/java/de/bps/olat/portal/institution/InstitutionPortletTest.java
+++ b/src/test/java/de/bps/olat/portal/institution/InstitutionPortletTest.java
@@ -48,8 +48,8 @@ public class InstitutionPortletTest {
InputStream input = InstitutionPortletTest.class.getResourceAsStream("olat_portals_institution.xml");
InstitutionConfiguration obj = (InstitutionConfiguration)xstream.fromXML(input);
- assertEquals("Test-Uni", obj.institution.get(0).shortname);
- assertEquals("360448", obj.institution.get(0).polymorphlink.get(0).defaultId);
+ assertEquals("Test-Uni", obj.getInstitution().get(0).getShortname());
+ assertEquals("360448", obj.getInstitution().get(0).getPolymorphlink().get(0).getDefaultId());
}
}
diff --git a/src/test/java/org/olat/group/manager/BusinessGroupImportExportXStreamTest.java b/src/test/java/org/olat/group/manager/BusinessGroupImportExportXStreamTest.java
index a3953e03819..2c847b131e4 100644
--- a/src/test/java/org/olat/group/manager/BusinessGroupImportExportXStreamTest.java
+++ b/src/test/java/org/olat/group/manager/BusinessGroupImportExportXStreamTest.java
@@ -57,7 +57,7 @@ public class BusinessGroupImportExportXStreamTest {
assertNotNull(export.getGroups().getGroups());
assertEquals(2, export.getGroups().getGroups().size());
- assertEquals("Form Group 2", export.getGroups().getGroups().get(1).name);
+ assertEquals("Form Group 2", export.getGroups().getGroups().get(1).getName());
String output = xstream.toXML(export);
assertNotNull(output);
@@ -75,7 +75,7 @@ public class BusinessGroupImportExportXStreamTest {
assertNotNull(export.getGroups().getGroups());
assertEquals(2, export.getGroups().getGroups().size());
- assertEquals("Test Right 2", export.getGroups().getGroups().get(1).name);
+ assertEquals("Test Right 2", export.getGroups().getGroups().get(1).getName());
String output = xstream.toXML(export);
assertNotNull(output);
--
GitLab