Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-25429

help throws NPE if no docId passed to content.hlp

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: RESOLVED
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.9.3, 10.0
    • Fix Version/s: 10.0
    • Component/s: Help Tool
    • Labels:
      None
    • 2.9 Status:
      Resolved

      Description

      Some security scanners (e.g. Nessus) call Sakai URLs like /portal/help/TOCDisplay/content.hlp which results in the help contentservlet throwing an NPE, which is a little annoying as it generates lots of spurious bug reports.

      ContentServlet should just return a bad request response, e.g. (untested):

      Index: help-tool/src/java/org/sakaiproject/tool/help/ContentServlet.java
      ===================================================================
      — help-tool/src/java/org/sakaiproject/tool/help/ContentServlet.java (revision 117719)
      +++ help-tool/src/java/org/sakaiproject/tool/help/ContentServlet.java (working copy)
      @@ -70,6 +70,11 @@
      getHelpManager().initialize();
      String docId = req.getParameter(DOC_ID);

      + if (docId == null)

      { + res.sendError(HttpServletResponse.SC_BAD_REQUEST); + return; + }

      +
      OutputStreamWriter writer = new OutputStreamWriter(res.getOutputStream(), "UTF-8");
      try {
      res.setContentType(TEXT_HTML);

      2013-12-02 06:40:15,801 INFO http-bio-8082-exec-8 org.sakaiproject.email.impl.BasicEmailService - send: from: "sakai/trunk on Oracle"<no-reply@nightly2.sakaiproject.org> to: subject: Bug Report: 5286C84E9DC6C2DF7B610305B25A62737C395D65 / null headerTo: replyTo: null content: bug-id: c2d6210e-8df3-40c5-8941-0a0b209ddad6
      user: null (null)
      email: null
      usage-session: null
      stack-trace-digest: 5286C84E9DC6C2DF7B610305B25A62737C395D65
      sakai-version: Revision: 132060
      service-version: Built: 12/02/13 04:00
      app-server: sakai-nightly.uits.iupui.edu
      request-path: /portal/help/TOCDisplay/content.hlp
      time: Dec 2, 2013 06:40:15

      stack trace:

      org.sakaiproject.portal.api.PortalHandlerException: java.lang.NullPointerException
      at org.sakaiproject.portal.charon.SkinnableCharonPortal.doGet(SkinnableCharonPortal.java:913)
      caused by: java.lang.NullPointerException
      at org.sakaiproject.tool.help.ContentServlet.doGet(ContentServlet.java:83)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
      at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:487)
      at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:412)
      at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339)
      at org.sakaiproject.jsf.util.JsfTool.dispatch(JsfTool.java:138)
      at org.sakaiproject.tool.help.HelpJsfTool.dispatch(HelpJsfTool.java:96)
      at org.sakaiproject.jsf.util.JsfTool.doGet(JsfTool.java:242)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
      at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:487)
      at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379)
      at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339)
      at org.sakaiproject.tool.impl.ActiveToolComponent$MyActiveTool.forward(ActiveToolComponent.java:513)
      at org.sakaiproject.portal.charon.SkinnableCharonPortal.forwardTool(SkinnableCharonPortal.java:1518)
      at org.sakaiproject.portal.charon.handlers.HelpHandler.doHelp(HelpHandler.java:107)
      at org.sakaiproject.portal.charon.handlers.HelpHandler.doGet(HelpHandler.java:69)
      at org.sakaiproject.portal.charon.SkinnableCharonPortal.doGet(SkinnableCharonPortal.java:913)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.sakaiproject.util.RequestFilter.doFilter(RequestFilter.java:695)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:722)

        Gliffy Diagrams

          Zeplin

            Attachments

              Activity

                People

                Assignee:
                Unassigned Unassigned
                Reporter:
                smarquard Stephen Marquard
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Git Integration