瀏覽代碼

fix #2582 check usercode

Shinsuke Sugaya 4 年之前
父節點
當前提交
3ac1ab99f7

+ 13 - 9
src/main/java/org/codelibs/fess/helper/UserInfoHelper.java

@@ -91,13 +91,22 @@ public class UserInfoHelper {
             return null;
             return null;
         }
         }
 
 
-        final PrimaryCipher cipher = ComponentUtil.getPrimaryCipher();
-        userCode = cipher.encrypt(userCode);
+        userCode = createUserCodeFromUserId(userCode);
         request.setAttribute(Constants.USER_CODE, userCode);
         request.setAttribute(Constants.USER_CODE, userCode);
         deleteUserCodeFromCookie(request);
         deleteUserCodeFromCookie(request);
         return userCode;
         return userCode;
     }
     }
 
 
+    protected String createUserCodeFromUserId(String userCode) {
+        final FessConfig fessConfig = ComponentUtil.getFessConfig();
+        final PrimaryCipher cipher = ComponentUtil.getPrimaryCipher();
+        userCode = cipher.encrypt(userCode);
+        if (fessConfig.isValidUserCode(userCode)) {
+            return userCode;
+        }
+        return null;
+    }
+
     public void deleteUserCodeFromCookie(final HttpServletRequest request) {
     public void deleteUserCodeFromCookie(final HttpServletRequest request) {
         final String cookieValue = getUserCodeFromCookie(request);
         final String cookieValue = getUserCodeFromCookie(request);
         if (cookieValue != null) {
         if (cookieValue != null) {
@@ -112,12 +121,6 @@ public class UserInfoHelper {
             return null;
             return null;
         }
         }
 
 
-        final int length = userCode.length();
-        if (fessConfig.getUserCodeMinLengthAsInteger().intValue() > length
-                || fessConfig.getUserCodeMaxLengthAsInteger().intValue() < length) {
-            return null;
-        }
-
         if (fessConfig.isValidUserCode(userCode)) {
         if (fessConfig.isValidUserCode(userCode)) {
             request.setAttribute(Constants.USER_CODE, userCode);
             request.setAttribute(Constants.USER_CODE, userCode);
             return userCode;
             return userCode;
@@ -155,10 +158,11 @@ public class UserInfoHelper {
     }
     }
 
 
     protected String getUserCodeFromCookie(final HttpServletRequest request) {
     protected String getUserCodeFromCookie(final HttpServletRequest request) {
+        final FessConfig fessConfig = ComponentUtil.getFessConfig();
         final Cookie[] cookies = request.getCookies();
         final Cookie[] cookies = request.getCookies();
         if (cookies != null) {
         if (cookies != null) {
             for (final Cookie cookie : cookies) {
             for (final Cookie cookie : cookies) {
-                if (cookieName.equals(cookie.getName())) {
+                if (cookieName.equals(cookie.getName()) && fessConfig.isValidUserCode(cookie.getValue())) {
                     return cookie.getValue();
                     return cookie.getValue();
                 }
                 }
             }
             }

+ 10 - 0
src/main/java/org/codelibs/fess/mylasta/direction/FessProp.java

@@ -1675,10 +1675,20 @@ public interface FessProp {
 
 
     String getUserCodePattern();
     String getUserCodePattern();
 
 
+    Integer getUserCodeMinLengthAsInteger();
+
+    Integer getUserCodeMaxLengthAsInteger();
+
     default boolean isValidUserCode(final String userCode) {
     default boolean isValidUserCode(final String userCode) {
         if (userCode == null) {
         if (userCode == null) {
             return false;
             return false;
         }
         }
+
+        final int length = userCode.length();
+        if (getUserCodeMinLengthAsInteger().intValue() > length || getUserCodeMaxLengthAsInteger().intValue() < length) {
+            return false;
+        }
+
         Pattern pattern = (Pattern) propMap.get(USER_CODE_PATTERN);
         Pattern pattern = (Pattern) propMap.get(USER_CODE_PATTERN);
         if (pattern == null) {
         if (pattern == null) {
             pattern = Pattern.compile(getUserCodePattern());
             pattern = Pattern.compile(getUserCodePattern());

+ 11 - 0
src/test/java/org/codelibs/fess/helper/UserInfoHelperTest.java

@@ -70,4 +70,15 @@ public class UserInfoHelperTest extends UnitFessTestCase {
         request.setParameter("userCode", buf.toString() + "x");
         request.setParameter("userCode", buf.toString() + "x");
         assertNull(userInfoHelper.getUserCodeFromRequest(request));
         assertNull(userInfoHelper.getUserCodeFromRequest(request));
     }
     }
+
+    public void test_createUserCodeFromUserId() {
+        UserInfoHelper userInfoHelper = new UserInfoHelper();
+        assertEquals("009ab986effa1a9664ada54eb81d7fce", userInfoHelper.createUserCodeFromUserId("a"));
+        assertEquals("b17816944bb30c19cb3265480470288caaa93e36666527a57ca94d8a8b8d7b80",
+                userInfoHelper.createUserCodeFromUserId("test@example.com"));
+        assertEquals("41ebbef035e6cebb9d0cf6b98266d9335abd454718a3b172efa30635ef19f1cc",
+                userInfoHelper.createUserCodeFromUserId("!\"#$%&'()'\\^-=,./_?><+*}{`P@[]"));
+        assertNull(userInfoHelper
+                .createUserCodeFromUserId("123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"));
+    }
 }
 }

+ 28 - 0
src/test/java/org/codelibs/fess/mylasta/direction/FessPropTest.java

@@ -234,6 +234,34 @@ public class FessPropTest extends UnitFessTestCase {
         assertEquals(Locale.TRADITIONAL_CHINESE, fessConfig.getQueryLocaleFromName("test_zh_TW"));
         assertEquals(Locale.TRADITIONAL_CHINESE, fessConfig.getQueryLocaleFromName("test_zh_TW"));
     }
     }
 
 
+    public void test_isValidUserCode() {
+        FessProp.propMap.clear();
+        FessConfig fessConfig = new FessConfig.SimpleImpl() {
+            @Override
+            public Integer getUserCodeMinLengthAsInteger() {
+                return 10;
+            }
+
+            @Override
+            public Integer getUserCodeMaxLengthAsInteger() {
+                return 20;
+            }
+
+            @Override
+            public String getUserCodePattern() {
+                return "[a-zA-Z0-9_]+";
+            }
+        };
+
+        assertTrue(fessConfig.isValidUserCode("1234567890"));
+        assertTrue(fessConfig.isValidUserCode("12345678901234567890"));
+        assertTrue(fessConfig.isValidUserCode("1234567890abcdeABCD_"));
+
+        assertFalse(fessConfig.isValidUserCode("123456789"));
+        assertFalse(fessConfig.isValidUserCode("123456789012345678901"));
+        assertFalse(fessConfig.isValidUserCode("123456789?"));
+    }
+
     private void assertArrays(final String[] expected, final String[] actual) {
     private void assertArrays(final String[] expected, final String[] actual) {
         Arrays.sort(expected);
         Arrays.sort(expected);
         Arrays.sort(actual);
         Arrays.sort(actual);