Add more filters templates that are not in the right directory.

NOAA-PMEL · Aug 1, 2022 · 6c5d957 · 6c5d957
2 parents 42d0c57 + 9afbb88
commit 6c5d957
Show file tree

Hide file tree

Showing 19 changed files with 46 additions and 5 deletions.
diff --git a/JavaSource/gov/noaa/pmel/tmap/iosp/FerretDataSource.java b/JavaSource/gov/noaa/pmel/tmap/iosp/FerretDataSource.java
@@ -57,6 +57,12 @@ public NetcdfFile getNetcdfFile(HttpServletRequest req, HttpServletResponse res)
         	url = urlbuf.toString();
         }
 
+        // Are there still escaped curly braces?
+        // Sometimes the client encodes a URL that is already encoded.
+        while ( url.contains("%7B") || url.contains("%7D") ) {
+            url = URLDecoder.decode(url, "UTF-8");
+        }
+
         log.debug("building netcdf file from "+url);
 
         String base = getBaseURL(url);

diff --git a/JavaSource/gov/noaa/pmel/tmap/las/filter/RequestInputFilter.java b/JavaSource/gov/noaa/pmel/tmap/las/filter/RequestInputFilter.java
@@ -313,7 +313,7 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
             	response.sendError(HttpServletResponse.SC_NOT_FOUND, "Request contains an illegal query parameter.");
             	return;
             }
-            if ( !validateTemplates(request) ) {
+            if ( !validateTemplateAndImage(request) ) {
 				LASAction.logerror(request, "Illegal request parameter value.", "Request contains a parameter value that is not allowed.");
 				response.sendError(HttpServletResponse.SC_NOT_FOUND, "Request contains an illegal query parameter value.");
 				return;
@@ -390,7 +390,12 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
 
 	private boolean validPath(HttpServletRequest request) {
 		String v = request.getRequestURI();
-		if (v.toLowerCase().contains(">") || v.toLowerCase().contains("<") || (v.toLowerCase().contains("script") && !v.contains("JavaScript"))) {
+		if (v.toLowerCase().contains(">") ||
+                v.toLowerCase().contains("<") ||
+                v.toLowerCase().contains("meta") ||
+                v.toLowerCase().contains("refresh") ||
+                v.toLowerCase().contains("equiv") ||
+                (v.toLowerCase().contains("script") && !v.contains("JavaScript"))) {
 		    return false;
 		}
 		if ( v.endsWith(".vm") ) {
@@ -405,7 +410,7 @@ private boolean validPath(HttpServletRequest request) {
 		return true;
 	}
 
-	public boolean validateTemplates(HttpServletRequest request) {
+	public boolean validateTemplateAndImage(HttpServletRequest request) {
 		String value[] = request.getParameterValues("template");
 		if ( value != null ) {
             for (int i = 0; i < value.length; i++) {
@@ -414,10 +419,39 @@ public boolean validateTemplates(HttpServletRequest request) {
                     v.toLowerCase().contains("<") || 
                     v.toLowerCase().contains("script") || 
                     v.toLowerCase().contains("..") ) {
+                if ( v.equals(vm[i]) ) {
+                    return true;
+                }
+                if (v.toLowerCase().contains(">") ||
+						v.toLowerCase().contains("<") ||
+						v.toLowerCase().contains("script") ||
+						v.toLowerCase().contains("meta") ||
+						v.toLowerCase().contains("refresh") ||
+						v.toLowerCase().contains("equiv")
+				) {
+>>>>>>> 9afbb8887c0051a06c31109e97022991c57db476
                     return false;
                 }
             }
         }
+		String images[] = request.getParameterValues("image");
+		if ( images != null ) {
+			for (int i = 0; i < images.length; i++) {
+				String v = images[i];
+				if (v.toLowerCase().contains(">") ||
+						v.toLowerCase().contains("<") ||
+						v.toLowerCase().contains("script") ||
+						v.toLowerCase().contains("meta") ||
+						v.toLowerCase().contains("refresh") ||
+						v.toLowerCase().contains("equiv")
+				) {
+					return false;
+				}
+				if ( !v.endsWith("plot_image.png") ) {
+					return false;
+				}
+			}
+		}
 		return true;
 	}
 	public void init(FilterConfig arg0) throws ServletException {

diff --git a/JavaSource/gov/noaa/pmel/tmap/las/ui/GetAnnotations.java b/JavaSource/gov/noaa/pmel/tmap/las/ui/GetAnnotations.java
@@ -15,6 +15,7 @@
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import ucar.ma2.Array;
 
 /** 
  * MyEclipse Struts
@@ -63,7 +64,7 @@ public String execute() throws Exception {
 		}
 		String[] files = request.getParameterValues("file");
 		String[] images = request.getParameterValues("image");
-		
+
 		if ( files != null ) {
 			if ( files.length == 1 ) {			
 				LASAnnotations lasAnnotations = new LASAnnotations();
@@ -123,4 +124,4 @@ public String getTemplate() {
 	public void setTemplate(String template) {
 		this.template = template;
 	}
-}
+}
diff --git a/WebContent/WEB-INF/lib/commons-logging-1.1.3.jar b/WebContent/WEB-INF/lib/commons-logging-1.1.3.jar
diff --git a/WebContent/WEB-INF/lib/commons-logging-1.2.jar b/WebContent/WEB-INF/lib/commons-logging-1.2.jar
diff --git a/WebContent/WEB-INF/lib/log4j-1.2-api-2.11.1.jar b/WebContent/WEB-INF/lib/log4j-1.2-api-2.11.1.jar
diff --git a/WebContent/WEB-INF/lib/log4j-api-2.11.1.jar b/WebContent/WEB-INF/lib/log4j-api-2.11.1.jar
diff --git a/WebContent/WEB-INF/lib/log4j-api-2.17.1.jar b/WebContent/WEB-INF/lib/log4j-api-2.17.1.jar
diff --git a/WebContent/WEB-INF/lib/log4j-core-2.11.1.jar b/WebContent/WEB-INF/lib/log4j-core-2.11.1.jar
diff --git a/WebContent/WEB-INF/lib/log4j-core-2.17.1.jar b/WebContent/WEB-INF/lib/log4j-core-2.17.1.jar
diff --git a/WebContent/WEB-INF/lib/log4j-slf4j-impl-2.17.1.jar b/WebContent/WEB-INF/lib/log4j-slf4j-impl-2.17.1.jar
diff --git a/WebContent/WEB-INF/lib/log4j-web-2.17.1.jar b/WebContent/WEB-INF/lib/log4j-web-2.17.1.jar
diff --git a/WebContent/WEB-INF/lib/slf4j-log4j12-1.7.25.jar b/WebContent/WEB-INF/lib/slf4j-log4j12-1.7.25.jar
diff --git a/...ntent/WEB-INF/lib/struts2-core-2.5.17.jar → ...ntent/WEB-INF/lib/struts2-core-2.5.30.jar b/...ntent/WEB-INF/lib/struts2-core-2.5.17.jar → ...ntent/WEB-INF/lib/struts2-core-2.5.30.jar
diff --git a/commons-logging-1.2.jar b/commons-logging-1.2.jar
diff --git a/log4j-1.2-api-2.16.0.jar b/log4j-1.2-api-2.16.0.jar
diff --git a/log4j-api-2.16.0.jar b/log4j-api-2.16.0.jar
diff --git a/log4j-core-2.16.0.jar b/log4j-core-2.16.0.jar
diff --git a/log4j-slf4j-impl-2.16.0.jar b/log4j-slf4j-impl-2.16.0.jar