(ScottPhillips) Added a switch to enable the themepath parameter to an HTTP request directing which theme to load. This can be turned on via the xmlui.themes.allowoverrides configuration parameter which defaults to off.

git-svn-id: http://scm.dspace.org/svn/repo/branches/dspace-1_5_x@2636 9c30dcfa-912a-0410-8fc2-9e0234be79fd
2025-10-23 18:03:11 +00:00 · 2008-02-11 18:20:01 +00:00
parent 2cd82e602d
commit 93521b35ff
4 changed files with 66 additions and 6 deletions
--- a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/cocoon/ThemeMatcher.java
+++ b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/cocoon/ThemeMatcher.java
@@ -56,6 +56,7 @@ import org.dspace.app.xmlui.configuration.XMLUIConfiguration;
 import org.dspace.app.xmlui.configuration.Theme;
 import org.dspace.app.xmlui.utils.HandleUtil;
 import org.dspace.content.DSpaceObject;
+import org.dspace.core.ConfigurationManager;

 /**
 * This class determines the correct Aspect to use. This is determined by the
@@ -96,6 +97,50 @@ public class ThemeMatcher extends AbstractLogEnabled implements Matcher {
 			String uri = request.getSitemapURI();
 			DSpaceObject dso = HandleUtil.obtainHandle(objectModel);

+			
+			// Allow the user to override the theme configuration
+			if (ConfigurationManager.getBooleanProperty("xmlui.theme.allowoverrides",false))
+			{
+				String themePathOverride  = request.getParameter("themepath");
+				if (themePathOverride != null && themePathOverride.length() > 0)
+				{
+					// Allowing the user to specify the theme path is a security risk because it 
+					// allows the user to direct which sitemap is executed next. An attacker could 
+					// use this in combination with another attack execute code on the server. 
+					// Ultimately this option should not be turned on in a production system and 
+					// only used in development. However lets do some simple sanity checks to 
+					// protect us a little even when under development.
+					
+					// Allow: allow all letters and numbers plus periods (but not consecutive), 
+					// dashes, underscores, and forward slashes 
+					if (!themePathOverride.matches("^[a-zA-V0-9][a-zA-Z0-9/_\\-]*/?$")) {
+						
+						throw new IllegalArgumentException("The user specified theme path, \""+themePathOverride+"\", may be " +
+								"an exploit attempt. To use this feature please limit your theme paths to only letters " +
+								"(a-Z), numbers(0-9), dashes(-), underscores (_), and trailing forward slashes (/).");
+					}
+					
+					// The user is selecting to override a theme, ignore any set
+					// rules to apply and use the one specified.
+					String themeNameOverride = request.getParameter("themename");
+					String themeIdOverride = request.getParameter("themeid");
+					
+					if (themeNameOverride == null || themeNameOverride.length() == 0)
+						themeNameOverride = "User specified theme";
+					
+					getLogger().debug("User as specified to override theme selection with theme "+
+							"(name=\""+themeNameOverride+"\", path=\""+themePathOverride+"\", id=\""+themeIdOverride+"\")");
+					
+					Map<String, String> result = new HashMap<String, String>();
+					result.put("themeName", themeNameOverride);
+					result.put("theme", themePathOverride);
+					result.put("themeID", themeIdOverride);
+					
+					return result;
+				}
+			}
+			
+			
 			List<Theme> rules = XMLUIConfiguration.getThemeRules();
 			getLogger().debug("Checking if URL=" + uri + " matches any theme rules.");
 			for (Theme rule : rules) {
--- a/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/objectmanager/DSpaceObjectManager.java
+++ b/dspace-xmlui/dspace-xmlui-api/src/main/java/org/dspace/app/xmlui/objectmanager/DSpaceObjectManager.java
@@ -123,7 +123,7 @@ public class DSpaceObjectManager implements ObjectManager
 			else
 			{
 				// No handle then refrence it by an internal ID.
-				if (dso instanceof Item)
+				if (dso instanceof Item || dso instanceof BrowseItem)
 		    	{
 		    		return "/metadata/internal/item/" + dso.getID() + "/mets.xml";
 		    	}
@@ -147,7 +147,7 @@ public class DSpaceObjectManager implements ObjectManager
 	 */
 	public String getObjectType(Object object) throws WingException 
 	{
-		if (object instanceof Item)
+		if (object instanceof Item || object instanceof BrowseItem)
    	{
    		return "DSpace Item";
    	}
@@ -182,7 +182,7 @@ public class DSpaceObjectManager implements ObjectManager
 	
 	/**
 	 * For the DSpace implementation we just return a hash of one entry which contains
-	 * a refrence to this repository's metadata.
+	 * a reference to this repository's metadata.
 	 */
 	public HashMap<String,String> getAllManagedRepositories() throws WingException
 	{
--- a/dspace/config/dspace.cfg
+++ b/dspace/config/dspace.cfg
@@ -1037,13 +1037,21 @@ event.consumer.eperson.filters = EPerson+Create
 ### XMLUI (aka manakin) configuration ###
 # These are XML UI specific configuration items that apply only to Manakin
 # user interface.
-#

 # Force all authenticated connections to use SSL, only non-authenticated 
 # connections are allowed over plain http. If set to true, then you need to 
 # ensure that the 'dspace.hostname' parameter is set to the correctly.
 #xmlui.force.ssl = true

+# Allow the user to override which theme is used to display a particular page. 
+# When submitting a request add the HTTP parameter "themepath" which corresponds 
+# to a particular theme, that specified theme will be used instead of the any 
+# other configured theme. Note that this is a potential security hole allowing 
+# execution of unintended code on the server, this option is only for development 
+# and debugging it should be turned off for any production repository. The default 
+# value unless otherwise specified is "false"
+#xmlui.theme.allowoverrides = false
+
 # On the community-list page should all the metadata about a community/collection
 # be available to the theme. This parameter defaults to true, but if you are
 # experiencing performance problems on the community-list page you should experiment
@@ -1059,7 +1067,6 @@ event.consumer.eperson.filters = EPerson+Create
 # the website for a period of time.
 #xmlui.community-list.cache = 12 hours

-
 # Optionally you may configure Manakin to take advantage of metadata stored as a 
 # bitstream. These metadata files should be inside the "METADATA" bundle and named 
 # either MODS.xml or METS.xml. If either of the following options are turned on then 
--- a/dspace/docs/configure.html
+++ b/dspace/docs/configure.html
@@ -801,13 +801,14 @@ More information is provide below in <a href="#newfilter">Creating a new Media/F
  <table>
    <tbody>
      <tr>
-        <th>Property</th>
+        <th width="300px">Property</th>

        <th>Example Values</th>

        <th>Notes</th>
      </tr>

+
      <tr>
        <td><code>xmlui.force.ssl</code></td>

@@ -816,6 +817,13 @@ More information is provide below in <a href="#newfilter">Creating a new Media/F
        <td>Force all authenticated connections to use SSL, only non-authenticated connections are allowed over plain http. If set to true, then you need to ensure that the 'dspace.hostname' parameter is set to the correctly.</td>
      </tr>
   
+      <tr>
+        <td><code>xmlui.theme.allowoverrides</code></td>
+
+        <td><code>false</code></td>
+
+        <td>If set to true, then allow the user to override which theme is used to display a particular page. When submitting a request add the HTTP parameter "themepath" which corresponds to a particular theme, that specified theme will be used instead of the any other configured theme. Note that this is a potential security hole allowing execution of unintended code on the server, this option is only for development and debugging it should be turned off for any production repository. The default value unless otherwise specified is "false"</td>
+      </tr>
   
      <tr>
        <td><code>xmlui.community-list.render.full</code></td>