Merge remote-tracking branch 'origin/OpenOLAT_14.2' into OpenOLAT_15.1

src/main/java/org/olat/admin/AdminModuleDispatcher.java

@@ -47,29 +47,26 @@ import org.olat.core.util.session.UserSessionManager;
  */
 public class AdminModuleDispatcher implements Dispatcher {
 	
-	private final static  String PARAMETER_CMD          = "cmd"; 
-	private final static  String PARAMETER_MSG          = "msg";
-	private final static  String PARAMETER_MAX_MESSAGE  = "maxsessions";
-	private final static  String PARAMETER_NBR_SESSIONS = "nbrsessions";
-	private final static  String PARAMETER_SESSIONTIMEOUT ="sec";
+	private static final String PARAMETER_CMD          = "cmd"; 
+	private static final String PARAMETER_MSG          = "msg";
+	private static final String PARAMETER_MAX_MESSAGE  = "maxsessions";
+	private static final String PARAMETER_NBR_SESSIONS = "nbrsessions";
+	private static final String PARAMETER_SESSIONTIMEOUT ="sec";
 	
-	private final static  String CMD_SET_MAINTENANCE_MESSAGE    = "setmaintenancemessage";
-	private final static  String CMD_SET_INFO_MESSAGE    				= "setinfomessage"; 
-	private final static  String CMD_SET_LOGIN_BLOCKED          = "setloginblocked";
-	private final static  String CMD_SET_LOGIN_NOT_BLOCKED      = "setloginnotblocked";
-	private final static  String CMD_SET_MAX_SESSIONS           = "setmaxsessions";
-	private final static  String CMD_INVALIDATE_ALL_SESSIONS    = "invalidateallsessions";
-	private final static  String CMD_INVALIDATE_OLDEST_SESSIONS = "invalidateoldestsessions";
-	private final static  String CMD_SET_SESSIONTIMEOUT         = "sessiontimeout";
+	private static final String CMD_SET_MAINTENANCE_MESSAGE    = "setmaintenancemessage";
+	private static final String CMD_SET_INFO_MESSAGE    	   = "setinfomessage"; 
+	private static final String CMD_SET_LOGIN_BLOCKED          = "setloginblocked";
+	private static final String CMD_SET_LOGIN_NOT_BLOCKED      = "setloginnotblocked";
+	private static final String CMD_SET_MAX_SESSIONS           = "setmaxsessions";
+	private static final String CMD_INVALIDATE_ALL_SESSIONS    = "invalidateallsessions";
+	private static final String CMD_INVALIDATE_OLDEST_SESSIONS = "invalidateoldestsessions";
+	private static final String CMD_SET_SESSIONTIMEOUT         = "sessiontimeout";
 	
-	
-	/** 
-	 * @see org.olat.core.dispatcher.Dispatcher#execute(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String)
-	 */
+
 	@Override
 	public void execute(HttpServletRequest request, HttpServletResponse response) {
 		String cmd = request.getParameter(PARAMETER_CMD);
-		if (cmd.equalsIgnoreCase(CMD_SET_MAINTENANCE_MESSAGE) || cmd.equalsIgnoreCase(CMD_SET_INFO_MESSAGE)) {
+		if (CMD_SET_MAINTENANCE_MESSAGE.equalsIgnoreCase(cmd) || CMD_SET_INFO_MESSAGE.equalsIgnoreCase(cmd)) {
 			handleSetMaintenanceOrInfoMessage(request, response, cmd);
 		} else {
 			if (CoreSpringFactory.getImpl(AdminModule.class).checkSessionAdminToken(request)) {
@@ -182,7 +179,4 @@ public class AdminModuleDispatcher implements Dispatcher {
 			DispatcherModule.sendForbidden(request.getPathInfo(), response);
 		}
 	}
-
-	
-
 }

src/main/java/org/olat/core/servlets/StaticServlet.java

@@ -107,7 +107,7 @@ public class StaticServlet extends HttpServlet {
 			// version provided - remove it
 			int start = pathInfo.indexOf("/", 2);
 			int end = pathInfo.length();
-			if(start <= end) {
+			if(start >= 2 && start <= end) {
 				String staticRelPath = pathInfo.substring(start, end);
 				String normalizedRelPath = ServletUtil.normalizePath(staticRelPath);
 				if (normalizedRelPath == null) {
@@ -170,7 +170,7 @@ public class StaticServlet extends HttpServlet {
 					}
 				}
 				// log as error, file exists but wrongly mapped
-				log.warn("File exists but not mapped using version - use StaticMediaDispatch methods to create URL of static files! invalid URI::" + request.getRequestURI());			
+				log.warn("File exists but not mapped using version - use StaticMediaDispatch methods to create URL of static files! invalid URI::{}", request.getRequestURI());			
 			}
 		}
 		

src/main/java/org/olat/modules/webFeed/dispatching/FeedMediaDispatcher.java

@@ -166,7 +166,7 @@ public class FeedMediaDispatcher implements Dispatcher, GenericEventListener {
 						try {
 							validatedUriCache.remove(key);
 						} catch (Exception e) {
-							log.info("Cannot remove this key: " + key);
+							log.info("Cannot remove this key: {}", key);
 						}
 					}
 				}
@@ -186,6 +186,11 @@ public class FeedMediaDispatcher implements Dispatcher, GenericEventListener {
 		} catch(NumberFormatException nfe) {
 			//
 		}
+		
+		if(requestedPath == null || requestedPath.length() == 0) {
+			DispatcherModule.sendBadRequest(request.getRequestURI(), response);
+			return;
+		}
 
 		Path path = null;
 		try {

src/main/webapp-tomcat/WEB-INF/web.xml

@@ -264,4 +264,13 @@
     	<exception-type>java.lang.Throwable</exception-type>
     	<location>/errors/error.html</location>
     </error-page>
+    
+    <security-constraint>
+		<web-resource-collection>
+			<web-resource-name><strong>restricted methods</strong></web-resource-name>
+			<url-pattern>/*</url-pattern>
+			<http-method>TRACE</http-method>
+		</web-resource-collection>
+		<auth-constraint />
+    </security-constraint>
 </web-app>