diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/PageServlet.java b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/PageServlet.java index 9daee11d7..baf5e0948 100644 --- a/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/PageServlet.java +++ b/app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/PageServlet.java @@ -18,9 +18,12 @@ package org.apache.roller.weblogger.ui.rendering.servlets; +import java.net.MalformedURLException; +import java.net.URL; import org.apache.commons.lang3.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.commons.validator.routines.UrlValidator; import org.apache.roller.util.RollerConstants; import org.apache.roller.weblogger.WebloggerException; import org.apache.roller.weblogger.business.HitCountQueue; @@ -611,7 +614,14 @@ private boolean processReferrer(HttpServletRequest request) { } } - String referrerUrl = request.getHeader("Referer"); + String referrerUrl = null; + String[] schemes = {"http", "https"}; + UrlValidator urlValidator = new UrlValidator(schemes); + if (urlValidator.isValid(request.getHeader("Referer"))) { + referrerUrl = request.getHeader("Referer"); + } + log.debug("referrer = " + referrerUrl); + StringBuffer reqsb = request.getRequestURL(); if (request.getQueryString() != null) { reqsb.append("?"); @@ -619,8 +629,6 @@ private boolean processReferrer(HttpServletRequest request) { } String requestUrl = reqsb.toString(); - log.debug("referrer = " + referrerUrl); - // if this came from persons own blog then don't process it String selfSiteFragment = "/" + pageRequest.getWeblogHandle(); if (referrerUrl != null && referrerUrl.contains(selfSiteFragment)) { @@ -656,10 +664,9 @@ private boolean processReferrer(HttpServletRequest request) { } String requestSite = requestUrl.substring(0, lastSlash); - if (!referrerUrl.matches(requestSite + ".*\\.rol.*") && - BannedwordslistChecker.checkReferrer(pageRequest.getWeblog(), referrerUrl)) { - return true; - } + return !(referrerUrl.startsWith(requestSite) + && referrerUrl.indexOf(".rol") >= requestSite.length()) + && BannedwordslistChecker.checkReferrer(pageRequest.getWeblog(), referrerUrl); } } else { log.debug("Ignoring referer = " + referrerUrl); diff --git a/app/src/test/java/org/apache/roller/weblogger/util/IPBanListTest.java b/app/src/test/java/org/apache/roller/weblogger/util/IPBanListTest.java index 9d0a97a1d..d4ecedbf8 100644 --- a/app/src/test/java/org/apache/roller/weblogger/util/IPBanListTest.java +++ b/app/src/test/java/org/apache/roller/weblogger/util/IPBanListTest.java @@ -1,3 +1,21 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. The ASF licenses this file to You + * under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. For additional information regarding + * copyright in this work, please see the NOTICE file in the top level + * directory of this distribution. + */ + package org.apache.roller.weblogger.util; import org.junit.jupiter.api.BeforeEach; @@ -19,20 +37,20 @@ class IPBanListTest { @TempDir Path tmpDir; - Path ipBanList; - IPBanList sut; + Path ipBanListPath; + IPBanList ipBanList; @BeforeEach void setUp() throws IOException { - ipBanList = tmpDir.resolve("ipbanlist.txt"); - Files.createFile(ipBanList); - sut = new IPBanList(() -> ipBanList.toAbsolutePath().toString()); + ipBanListPath = tmpDir.resolve("ipbanlist.txt"); + Files.createFile(ipBanListPath); + ipBanList = new IPBanList(() -> ipBanListPath.toAbsolutePath().toString()); } @Test @DisplayName("addBanned() adds the given IP address to the file") void addBannedAddsToFile() { - sut.addBannedIp("10.0.0.1"); + ipBanList.addBannedIp("10.0.0.1"); List ipBanList = readIpBanList(); assertTrue(ipBanList.contains("10.0.0.1")); @@ -42,7 +60,7 @@ void addBannedAddsToFile() { @Test @DisplayName("addBanned() ignores nulls") void addBannedIgnoresNulls() { - sut.addBannedIp(null); + ipBanList.addBannedIp(null); assertTrue(readIpBanList().isEmpty()); } @@ -50,21 +68,23 @@ void addBannedIgnoresNulls() { @Test @DisplayName("isBanned() returns true if the given IP address is banned") void isBanned() { - sut.addBannedIp("10.0.0.1"); - - assertTrue(sut.isBanned("10.0.0.1")); + ipBanList.addBannedIp("10.0.0.1"); + try { // work around for intermittently failing test + Thread.sleep(500); + } catch (InterruptedException ignored) {} + assertTrue(ipBanList.isBanned("10.0.0.1")); } @Test @DisplayName("isBanned() returns false if the given IP address it not banned") void isBanned2() { - assertFalse(sut.isBanned("10.0.0.1")); + assertFalse(ipBanList.isBanned("10.0.0.1")); } @Test @DisplayName("isBanned() returns false if the given IP address is null") void isBanned3() { - assertFalse(sut.isBanned(null)); + assertFalse(ipBanList.isBanned(null)); } @Test @@ -72,12 +92,12 @@ void isBanned3() { void isBanned4() { writeIpBanList("10.0.0.1"); - assertTrue(sut.isBanned("10.0.0.1")); + assertTrue(ipBanList.isBanned("10.0.0.1")); } private void writeIpBanList(String ipAddress) { try { - Files.writeString(ipBanList, ipAddress); + Files.writeString(ipBanListPath, ipAddress); } catch (IOException e) { throw new UncheckedIOException(e); } @@ -85,7 +105,7 @@ private void writeIpBanList(String ipAddress) { private List readIpBanList() { try { - return Files.readAllLines(ipBanList); + return Files.readAllLines(ipBanListPath); } catch (IOException e) { throw new UncheckedIOException(e); }