(Scott Phillips) There is a bug where user supplied query strings that contain ":" were being written straight to the logs unescapped. This would cause the loganalyser to think in some cases that there we logging events of random strings. This patch ensures that all cases where search strings are being written to the logs are escaped to prevent this.

git-svn-id: http://scm.dspace.org/svn/repo/branches/dspace-1_5_x@3538 9c30dcfa-912a-0410-8fc2-9e0234be79fd
2025-10-15 05:53:08 +00:00 · 2009-03-07 19:04:20 +00:00
parent a7fa86a9ed
commit a148e77720
3 changed files with 48 additions and 9 deletions
--- a/dspace-api/src/main/java/org/dspace/app/statistics/LogAnalyser.java
+++ b/dspace-api/src/main/java/org/dspace/app/statistics/LogAnalyser.java
@@ -44,6 +44,7 @@ import org.dspace.app.statistics.LogLine;

 import org.dspace.core.ConfigurationManager;
 import org.dspace.core.Context;
+import org.dspace.core.LogManager;
 import org.dspace.storage.rdbms.DatabaseManager;
 import org.dspace.storage.rdbms.TableRow;

@@ -52,9 +53,6 @@ import java.sql.SQLException;
 import java.lang.Long;
 import java.lang.StringBuffer;

-import java.net.InetAddress;
-import java.net.UnknownHostException;
-
 import java.text.ParseException;
 import java.text.SimpleDateFormat;

@@ -1145,10 +1143,10 @@ public class LogAnalyser
        {
            // set up a new log line object
            LogLine logLine = new LogLine(parseDate(match.group(1).trim()),
-                                          match.group(2).trim(),
-                                          match.group(3).trim(),
-                                          match.group(4).trim(),
-                                          match.group(5).trim());
+                                          LogManager.unescapeLogField(match.group(2)).trim(),
+                                          LogManager.unescapeLogField(match.group(3)).trim(),
+                                          LogManager.unescapeLogField(match.group(4)).trim(),
+                                          LogManager.unescapeLogField(match.group(5)).trim());
            
            return logLine;
        }
--- a/dspace-api/src/main/java/org/dspace/core/LogManager.java
+++ b/dspace-api/src/main/java/org/dspace/core/LogManager.java
@@ -84,8 +84,49 @@ public class LogManager
            contextExtraInfo = "no_context";
        }
        
+
        StringBuilder result = new StringBuilder();
-        result.append(email).append(":").append(contextExtraInfo).append(":").append(action).append(":").append(extrainfo);
+        // Escape everthing but the extra context info because for some crazy reason two fields
+        // are generated inside this entry one for the session id, and another for the ip 
+        // address. Everything else should be escaped.
+        result.append(escapeLogField(email)).append(":").append(contextExtraInfo).append(":").append(escapeLogField(action)).append(":").append(escapeLogField(extrainfo));
        return result.toString();
    }
+    
+    
+    /**
+     * If any string within the log line contains a field seperator (:) they need to be escaped so as the 
+     * line may be parsed and analysed later. This method will escape a log field.
+     * 
+     * Single slashes and colons will be escaped so that colons no longer appear in the logs
+     * 
+     * @param field The unescaped log field
+     * @return An escaped log field
+     */
+    public static String escapeLogField(String field)
+    {
+        if (field != null)
+        {
+        	field = field.replaceAll("\\\\", "\\\\\\\\;");
+        	field = field.replaceAll(":","\\\\colon;");
+        }
+        return field;
+    }
+    
+    /**
+     * Unescape a log field.
+     * 
+     * @param field The escaped log field
+     * @return the original log field
+     */
+    public static String unescapeLogField(String field)
+    {
+    	
+    	if (field != null)
+        {
+        	field = field.replaceAll("\\\\colon;", ":");
+        	field = field.replaceAll("\\\\\\\\;","\\\\");
+        }
+        return field;
+    }
 }
--- a/dspace-api/src/main/java/org/dspace/search/DSQuery.java
+++ b/dspace-api/src/main/java/org/dspace/search/DSQuery.java
@@ -148,7 +148,7 @@ public class DSQuery
            Searcher searcher = getSearcher(c);

            QueryParser qp = new QueryParser("default", DSIndexer.getAnalyzer());
-            log.info("Final query string: " + querystring);
+            log.debug("Final query string: " + querystring);
            
            if (operator == null || operator.equals("OR"))
            {