diff --git a/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java b/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java index 003df0959..b866c4571 100644 --- a/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java +++ b/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java @@ -91,13 +91,22 @@ public class UserInfoHelper { return null; } - final PrimaryCipher cipher = ComponentUtil.getPrimaryCipher(); - userCode = cipher.encrypt(userCode); + userCode = createUserCodeFromUserId(userCode); request.setAttribute(Constants.USER_CODE, userCode); deleteUserCodeFromCookie(request); return userCode; } + protected String createUserCodeFromUserId(String userCode) { + final FessConfig fessConfig = ComponentUtil.getFessConfig(); + final PrimaryCipher cipher = ComponentUtil.getPrimaryCipher(); + userCode = cipher.encrypt(userCode); + if (fessConfig.isValidUserCode(userCode)) { + return userCode; + } + return null; + } + public void deleteUserCodeFromCookie(final HttpServletRequest request) { final String cookieValue = getUserCodeFromCookie(request); if (cookieValue != null) { @@ -112,12 +121,6 @@ public class UserInfoHelper { return null; } - final int length = userCode.length(); - if (fessConfig.getUserCodeMinLengthAsInteger().intValue() > length - || fessConfig.getUserCodeMaxLengthAsInteger().intValue() < length) { - return null; - } - if (fessConfig.isValidUserCode(userCode)) { request.setAttribute(Constants.USER_CODE, userCode); return userCode; @@ -155,10 +158,11 @@ public class UserInfoHelper { } protected String getUserCodeFromCookie(final HttpServletRequest request) { + final FessConfig fessConfig = ComponentUtil.getFessConfig(); final Cookie[] cookies = request.getCookies(); if (cookies != null) { for (final Cookie cookie : cookies) { - if (cookieName.equals(cookie.getName())) { + if (cookieName.equals(cookie.getName()) && fessConfig.isValidUserCode(cookie.getValue())) { return cookie.getValue(); } } diff --git a/src/main/java/org/codelibs/fess/mylasta/direction/FessProp.java b/src/main/java/org/codelibs/fess/mylasta/direction/FessProp.java index d47c5b1d3..456383f2d 100644 --- a/src/main/java/org/codelibs/fess/mylasta/direction/FessProp.java +++ b/src/main/java/org/codelibs/fess/mylasta/direction/FessProp.java @@ -1675,10 +1675,20 @@ public interface FessProp { String getUserCodePattern(); + Integer getUserCodeMinLengthAsInteger(); + + Integer getUserCodeMaxLengthAsInteger(); + default boolean isValidUserCode(final String userCode) { if (userCode == null) { return false; } + + final int length = userCode.length(); + if (getUserCodeMinLengthAsInteger().intValue() > length || getUserCodeMaxLengthAsInteger().intValue() < length) { + return false; + } + Pattern pattern = (Pattern) propMap.get(USER_CODE_PATTERN); if (pattern == null) { pattern = Pattern.compile(getUserCodePattern()); diff --git a/src/test/java/org/codelibs/fess/helper/UserInfoHelperTest.java b/src/test/java/org/codelibs/fess/helper/UserInfoHelperTest.java index f645c5dd5..c6ccb1b75 100644 --- a/src/test/java/org/codelibs/fess/helper/UserInfoHelperTest.java +++ b/src/test/java/org/codelibs/fess/helper/UserInfoHelperTest.java @@ -70,4 +70,15 @@ public class UserInfoHelperTest extends UnitFessTestCase { request.setParameter("userCode", buf.toString() + "x"); assertNull(userInfoHelper.getUserCodeFromRequest(request)); } + + public void test_createUserCodeFromUserId() { + UserInfoHelper userInfoHelper = new UserInfoHelper(); + assertEquals("009ab986effa1a9664ada54eb81d7fce", userInfoHelper.createUserCodeFromUserId("a")); + assertEquals("b17816944bb30c19cb3265480470288caaa93e36666527a57ca94d8a8b8d7b80", + userInfoHelper.createUserCodeFromUserId("test@example.com")); + assertEquals("41ebbef035e6cebb9d0cf6b98266d9335abd454718a3b172efa30635ef19f1cc", + userInfoHelper.createUserCodeFromUserId("!\"#$%&'()'\\^-=,./_?><+*}{`P@[]")); + assertNull(userInfoHelper + .createUserCodeFromUserId("123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890")); + } } diff --git a/src/test/java/org/codelibs/fess/mylasta/direction/FessPropTest.java b/src/test/java/org/codelibs/fess/mylasta/direction/FessPropTest.java index 0d38b6680..29e74fddb 100644 --- a/src/test/java/org/codelibs/fess/mylasta/direction/FessPropTest.java +++ b/src/test/java/org/codelibs/fess/mylasta/direction/FessPropTest.java @@ -234,6 +234,34 @@ public class FessPropTest extends UnitFessTestCase { assertEquals(Locale.TRADITIONAL_CHINESE, fessConfig.getQueryLocaleFromName("test_zh_TW")); } + public void test_isValidUserCode() { + FessProp.propMap.clear(); + FessConfig fessConfig = new FessConfig.SimpleImpl() { + @Override + public Integer getUserCodeMinLengthAsInteger() { + return 10; + } + + @Override + public Integer getUserCodeMaxLengthAsInteger() { + return 20; + } + + @Override + public String getUserCodePattern() { + return "[a-zA-Z0-9_]+"; + } + }; + + assertTrue(fessConfig.isValidUserCode("1234567890")); + assertTrue(fessConfig.isValidUserCode("12345678901234567890")); + assertTrue(fessConfig.isValidUserCode("1234567890abcdeABCD_")); + + assertFalse(fessConfig.isValidUserCode("123456789")); + assertFalse(fessConfig.isValidUserCode("123456789012345678901")); + assertFalse(fessConfig.isValidUserCode("123456789?")); + } + private void assertArrays(final String[] expected, final String[] actual) { Arrays.sort(expected); Arrays.sort(actual);