diff --git a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/cocoon/ThemeMatcher.java b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/cocoon/ThemeMatcher.java index f3083aa9ec..67f63104b3 100644 --- a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/cocoon/ThemeMatcher.java +++ b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/cocoon/ThemeMatcher.java @@ -56,6 +56,7 @@ import org.dspace.app.xmlui.configuration.XMLUIConfiguration; import org.dspace.app.xmlui.configuration.Theme; import org.dspace.app.xmlui.utils.HandleUtil; import org.dspace.content.DSpaceObject; +import org.dspace.core.ConfigurationManager; /** * This class determines the correct Aspect to use. This is determined by the @@ -96,6 +97,50 @@ public class ThemeMatcher extends AbstractLogEnabled implements Matcher { String uri = request.getSitemapURI(); DSpaceObject dso = HandleUtil.obtainHandle(objectModel); + + // Allow the user to override the theme configuration + if (ConfigurationManager.getBooleanProperty("xmlui.theme.allowoverrides",false)) + { + String themePathOverride = request.getParameter("themepath"); + if (themePathOverride != null && themePathOverride.length() > 0) + { + // Allowing the user to specify the theme path is a security risk because it + // allows the user to direct which sitemap is executed next. An attacker could + // use this in combination with another attack execute code on the server. + // Ultimately this option should not be turned on in a production system and + // only used in development. However lets do some simple sanity checks to + // protect us a little even when under development. + + // Allow: allow all letters and numbers plus periods (but not consecutive), + // dashes, underscores, and forward slashes + if (!themePathOverride.matches("^[a-zA-V0-9][a-zA-Z0-9/_\\-]*/?$")) { + + throw new IllegalArgumentException("The user specified theme path, \""+themePathOverride+"\", may be " + + "an exploit attempt. To use this feature please limit your theme paths to only letters " + + "(a-Z), numbers(0-9), dashes(-), underscores (_), and trailing forward slashes (/)."); + } + + // The user is selecting to override a theme, ignore any set + // rules to apply and use the one specified. + String themeNameOverride = request.getParameter("themename"); + String themeIdOverride = request.getParameter("themeid"); + + if (themeNameOverride == null || themeNameOverride.length() == 0) + themeNameOverride = "User specified theme"; + + getLogger().debug("User as specified to override theme selection with theme "+ + "(name=\""+themeNameOverride+"\", path=\""+themePathOverride+"\", id=\""+themeIdOverride+"\")"); + + Map result = new HashMap(); + result.put("themeName", themeNameOverride); + result.put("theme", themePathOverride); + result.put("themeID", themeIdOverride); + + return result; + } + } + + List rules = XMLUIConfiguration.getThemeRules(); getLogger().debug("Checking if URL=" + uri + " matches any theme rules."); for (Theme rule : rules) { diff --git a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/objectmanager/DSpaceObjectManager.java b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/objectmanager/DSpaceObjectManager.java index 9c1c85e3da..324bb1442b 100644 --- a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/objectmanager/DSpaceObjectManager.java +++ b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/objectmanager/DSpaceObjectManager.java @@ -123,7 +123,7 @@ public class DSpaceObjectManager implements ObjectManager else { // No handle then refrence it by an internal ID. - if (dso instanceof Item) + if (dso instanceof Item || dso instanceof BrowseItem) { return "/metadata/internal/item/" + dso.getID() + "/mets.xml"; } @@ -147,7 +147,7 @@ public class DSpaceObjectManager implements ObjectManager */ public String getObjectType(Object object) throws WingException { - if (object instanceof Item) + if (object instanceof Item || object instanceof BrowseItem) { return "DSpace Item"; } @@ -182,7 +182,7 @@ public class DSpaceObjectManager implements ObjectManager /** * For the DSpace implementation we just return a hash of one entry which contains - * a refrence to this repository's metadata. + * a reference to this repository's metadata. */ public HashMap getAllManagedRepositories() throws WingException { diff --git a/dspace/config/dspace.cfg b/dspace/config/dspace.cfg index 506db13a41..02db478fa4 100644 --- a/dspace/config/dspace.cfg +++ b/dspace/config/dspace.cfg @@ -1037,13 +1037,21 @@ event.consumer.eperson.filters = EPerson+Create ### XMLUI (aka manakin) configuration ### # These are XML UI specific configuration items that apply only to Manakin # user interface. -# # Force all authenticated connections to use SSL, only non-authenticated # connections are allowed over plain http. If set to true, then you need to # ensure that the 'dspace.hostname' parameter is set to the correctly. #xmlui.force.ssl = true +# Allow the user to override which theme is used to display a particular page. +# When submitting a request add the HTTP parameter "themepath" which corresponds +# to a particular theme, that specified theme will be used instead of the any +# other configured theme. Note that this is a potential security hole allowing +# execution of unintended code on the server, this option is only for development +# and debugging it should be turned off for any production repository. The default +# value unless otherwise specified is "false" +#xmlui.theme.allowoverrides = false + # On the community-list page should all the metadata about a community/collection # be available to the theme. This parameter defaults to true, but if you are # experiencing performance problems on the community-list page you should experiment @@ -1059,7 +1067,6 @@ event.consumer.eperson.filters = EPerson+Create # the website for a period of time. #xmlui.community-list.cache = 12 hours - # Optionally you may configure Manakin to take advantage of metadata stored as a # bitstream. These metadata files should be inside the "METADATA" bundle and named # either MODS.xml or METS.xml. If either of the following options are turned on then diff --git a/dspace/docs/configure.html b/dspace/docs/configure.html index 5b00d07434..19fe02a813 100644 --- a/dspace/docs/configure.html +++ b/dspace/docs/configure.html @@ -801,13 +801,14 @@ More information is provide below in Creating a new Media/F - + + @@ -816,6 +817,13 @@ More information is provide below in Creating a new Media/F + + + + + + +
PropertyProperty Example Values Notes
xmlui.force.sslForce all authenticated connections to use SSL, only non-authenticated connections are allowed over plain http. If set to true, then you need to ensure that the 'dspace.hostname' parameter is set to the correctly.
xmlui.theme.allowoverridesfalseIf set to true, then allow the user to override which theme is used to display a particular page. When submitting a request add the HTTP parameter "themepath" which corresponds to a particular theme, that specified theme will be used instead of the any other configured theme. Note that this is a potential security hole allowing execution of unintended code on the server, this option is only for development and debugging it should be turned off for any production repository. The default value unless otherwise specified is "false"
xmlui.community-list.render.full