001/** 002 * Copyright 2005-2016 The Kuali Foundation 003 * 004 * Licensed under the Educational Community License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.opensource.org/licenses/ecl2.php 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016package org.kuali.rice.kns.web.filter; 017 018import javax.servlet.Filter; 019import javax.servlet.FilterChain; 020import javax.servlet.FilterConfig; 021import javax.servlet.ServletException; 022import javax.servlet.ServletRequest; 023import javax.servlet.ServletResponse; 024import javax.servlet.http.HttpServletRequest; 025import javax.servlet.http.HttpServletRequestWrapper; 026import java.io.IOException; 027import java.util.ArrayList; 028import java.util.Collections; 029import java.util.Enumeration; 030import java.util.HashMap; 031import java.util.List; 032import java.util.Map; 033import java.util.regex.Pattern; 034 035/** 036 * Filters parameters coming in through Struts requests to exclude those that could be damaging to the class loader in 037 * response to CVE-2014-0114. 038 * 039 * @deprecated Patches Struts 1 which is end-of-life and will eventually be removed from Rice. 040 * 041 * @author Kuali Rice Team (rice.collab@kuali.org) 042 */ 043@Deprecated 044public class ParameterFilter implements Filter { 045 046 private String excludeParams; 047 048 public void init(FilterConfig filterConfig) throws ServletException { 049 this.excludeParams = filterConfig.getInitParameter("excludeParams"); 050 } 051 052 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { 053 chain.doFilter(new FilteredServletRequest(request, excludeParams), response); 054 } 055 056 public void destroy() { } 057 058 private static class FilteredServletRequest extends HttpServletRequestWrapper { 059 060 private final Pattern excludeParams; 061 062 private FilteredServletRequest(ServletRequest request, String excludeParams) { 063 super((HttpServletRequest) request); 064 065 this.excludeParams = Pattern.compile(excludeParams); 066 } 067 068 @Override 069 @SuppressWarnings({"rawtypes", "unchecked"}) 070 public Enumeration getParameterNames() { 071 List<String> finalParameterNames = new ArrayList<String>(); 072 073 ArrayList<String> requestParameterNames = Collections.list(super.getParameterNames()); 074 075 for (String parameterName : requestParameterNames) { 076 if (!excludeParams.matcher(parameterName).matches()) { 077 finalParameterNames.add(parameterName); 078 } 079 } 080 081 return Collections.enumeration(finalParameterNames); 082 } 083 084 @Override 085 @SuppressWarnings("rawtypes") 086 public Map getParameterMap() { 087 Map requestParameterMap = super.getParameterMap(); 088 089 HashMap<String, Object> finalParameterMap = new HashMap<String, Object>(); 090 091 for (Object key : requestParameterMap.keySet()) { 092 if (key instanceof String) { 093 String stringKey = (String) key; 094 095 if (!excludeParams.matcher(stringKey).matches()) { 096 finalParameterMap.put(stringKey, requestParameterMap.get(key)); 097 } 098 } 099 } 100 101 return finalParameterMap; 102 } 103 104 @Override 105 public String[] getParameterValues(String name) { 106 if (!excludeParams.matcher(name).matches()) { 107 return super.getParameterValues(name); 108 } else { 109 return null; 110 } 111 } 112 113 @Override 114 public String getParameter(String name) { 115 if (!excludeParams.matcher(name).matches()) { 116 return super.getParameter(name); 117 } else { 118 return null; 119 } 120 } 121 } 122 123}