From 2a6003c5d2681d8fa006af733b7dad60e1fd1b9d Mon Sep 17 00:00:00 2001 From: Antonin Delpeuch Date: Thu, 18 Mar 2021 07:47:38 +0100 Subject: [PATCH] Sanitize cookie keys in Wikibase extension. Fixes #3745. (#3746) --- .../wikidata/commands/LoginCommand.java | 15 ++++++++++++++- .../wikidata/commands/LoginCommandTest.java | 7 ++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/extensions/wikidata/src/org/openrefine/wikidata/commands/LoginCommand.java b/extensions/wikidata/src/org/openrefine/wikidata/commands/LoginCommand.java index 3efeb9a87..3d30daa00 100644 --- a/extensions/wikidata/src/org/openrefine/wikidata/commands/LoginCommand.java +++ b/extensions/wikidata/src/org/openrefine/wikidata/commands/LoginCommand.java @@ -40,6 +40,8 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import static org.apache.commons.lang.StringUtils.isBlank; import static org.apache.commons.lang.StringUtils.isNotBlank; @@ -67,6 +69,8 @@ public class LoginCommand extends Command { static final String CONSUMER_SECRET = "wb-consumer-secret"; static final String ACCESS_TOKEN = "wb-access-token"; static final String ACCESS_SECRET = "wb-access-secret"; + + static final Pattern cookieKeyDisallowedCharacters = Pattern.compile("[^a-zA-Z0-9\\-!#$%&'*+.?\\^_`|~]"); @Override public void doPost(HttpServletRequest request, HttpServletResponse response) @@ -83,7 +87,7 @@ public class LoginCommand extends Command { CommandUtilities.respondError(response, "missing parameter '" + API_ENDPOINT + "'"); return; } - String mediawikiApiEndpointPrefix = mediawikiApiEndpoint + '-'; + String mediawikiApiEndpointPrefix = sanitizeCookieKey(mediawikiApiEndpoint + '-'); if ("true".equals(request.getParameter("logout"))) { manager.logout(mediawikiApiEndpoint); @@ -268,4 +272,13 @@ public class LoginCommand extends Command { return str.replaceAll("[\n\r]", ""); } } + + /** + * Removes special characters from cookie keys, + * replacing them by hyphens. + */ + static String sanitizeCookieKey(String key) { + Matcher matcher = cookieKeyDisallowedCharacters.matcher(key); + return matcher.replaceAll("-"); + } } diff --git a/extensions/wikidata/tests/src/org/openrefine/wikidata/commands/LoginCommandTest.java b/extensions/wikidata/tests/src/org/openrefine/wikidata/commands/LoginCommandTest.java index a7b18e1f1..c6f0f8a74 100644 --- a/extensions/wikidata/tests/src/org/openrefine/wikidata/commands/LoginCommandTest.java +++ b/extensions/wikidata/tests/src/org/openrefine/wikidata/commands/LoginCommandTest.java @@ -40,7 +40,7 @@ import static org.testng.Assert.*; public class LoginCommandTest extends CommandTest { private static final String apiEndpoint = "https://www.wikidata.org/w/api.php"; - private static final String apiEndpointPrefix = apiEndpoint + "-"; + private static final String apiEndpointPrefix = sanitizeCookieKey(apiEndpoint) + "-"; private static final String username = "my_username"; private static final String password = "my_password"; @@ -567,4 +567,9 @@ public class LoginCommandTest extends CommandTest { assertEquals(removeCRLF("a\rb\nc\r\n\r\nd"), "abcd"); assertEquals(removeCRLF(null), ""); } + + @Test + public void testSanitizeCookieKey() { + assertEquals(sanitizeCookieKey("https://www.wikidata.org/"), "https---www.wikidata.org-"); + } }