code.onehippo.org is currently readonly. We are migrating to code.bloomreach.com, please continue working there on Monday 14/12. See: https://docs.bloomreach.com/display/engineering/GitLab

Commit 981a89fa authored by Jeroen Hoffman's avatar Jeroen Hoffman

REPO-1927 [Back port to 11.2] SecurityManager doesn't sanitize userId in case...

REPO-1927 [Back port to 11.2] SecurityManager doesn't sanitize userId in case of external providers to get memberships
- sanitize user id
parent dcdb52dc
/* /*
* Copyright 2008-2013 Hippo B.V. (http://www.onehippo.com) * Copyright 2008-2018 Hippo B.V. (http://www.onehippo.com)
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
...@@ -362,10 +362,11 @@ public class SecurityManager implements HippoSecurityManager { ...@@ -362,10 +362,11 @@ public class SecurityManager implements HippoSecurityManager {
*/ */
private Set<String> getMemberships(String rawUserId, String providerId) { private Set<String> getMemberships(String rawUserId, String providerId) {
try { try {
final String sanitizedUserId = sanitizeUserId(rawUserId, providerId);
if (providers.containsKey(providerId)) { if (providers.containsKey(providerId)) {
return providers.get(providerId).getGroupManager().getMembershipIds(rawUserId); return providers.get(providerId).getGroupManager().getMembershipIds(sanitizedUserId);
} else { } else {
return providers.get(INTERNAL_PROVIDER).getGroupManager().getMembershipIds(sanitizeUserId(rawUserId, providerId)); return providers.get(INTERNAL_PROVIDER).getGroupManager().getMembershipIds(sanitizedUserId);
} }
} catch (RepositoryException e) { } catch (RepositoryException e) {
log.warn("Unable to get memberships for userId: " + rawUserId, e); log.warn("Unable to get memberships for userId: " + rawUserId, e);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment