Uploaded image for project: 'Identity'
  1. Identity
  2. ID-68

Trying to create the user "'><script>altert('testuser')</script> while in gapps mode triggers IllegalStateException

    XMLWordPrintable

Details

    Description

      I tried to create this user while connected to gapps: "'><script>altert('testuser')</script>. I got this exception log.txt:

      @400000004fce8fe913c0a9dc 2012-06-05 23:01:51,326 TP-Processor12 ERROR      [500ErrorPage.jsp] Exception caught in 500 page java.lang.RuntimeException: com.google.gdata.client.authn.oauth.OAuthException: java.net.URISyntaxException: Illegal character in path at index 63: https://apps-apis.google.com/a/feeds/atl-paid-dev.com/user/2.0/"'><script>altert('testuser')</script>
@400000004fce8fe913c0b97c java.lang.IllegalStateException: java.lang.RuntimeException: com.google.gdata.client.authn.oauth.OAuthException: java.net.URISyntaxException: Illegal character in path at index 63: https://apps-apis.google.com/a/feeds/atl-paid-dev.com/user/2.0/"'><script>altert('testuser')</script>
@400000004fce8fe913c0f414 	at com.atlassian.agmp.openid.users.mgmt.jira.UserServiceImpl.userExistsInGoogle(UserServiceImpl.java:524)
@400000004fce8fe913c0f7fc 	at com.atlassian.agmp.integration.jira.action.AddUserInterceptor.isGoogleUser(AddUserInterceptor.java:72)
@400000004fce8fe913c0ffcc 	at com.atlassian.agmp.integration.jira.action.AddUserInterceptor.interceptDoExecute(AddUserInterceptor.java:43)
@400000004fce8fe913c103b4 	at com.atlassian.peace.jira.ActionPeacekeeper.intercept(ActionPeacekeeper.java:46)
@400000004fce8fe913c13294 	at webwork.interceptor.NestedInterceptorChain.proceed(NestedInterceptorChain.java:27)
@400000004fce8fe913c1367c 	at webwork.interceptor.ChainedInterceptor.intercept(ChainedInterceptor.java:16)
@400000004fce8fe913c1367c 	at webwork.interceptor.DefaultInterceptorChain.proceed(DefaultInterceptorChain.java:35)
@400000004fce8fe913c13a64 	at webwork.dispatcher.GenericDispatcher.executeAction(GenericDispatcher.java:205)
@400000004fce8fe913c1461c 	at webwork.dispatcher.GenericDispatcher.executeAction(GenericDispatcher.java:143)
@400000004fce8fe913c14a04 	at com.atlassian.jira.web.dispatcher.JiraWebworkActionDispatcher.service(JiraWebworkActionDispatcher.java:152)
@400000004fce8fe913c14dec 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
@400000004fce8fe913c14dec 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
@400000004fce8fe913c159a4 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
@400000004fce8fe913c15d8c 	at com.atlassian.jira.web.filters.steps.ChainedFilterStepRunner.doFilter(ChainedFilterStepRunner.java:78)
@400000004fce8fe913c16174 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
@400000004fce8fe913c1655c 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
@400000004fce8fe913c17114 	at com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:44)
@400000004fce8fe913c174fc 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
@400000004fce8fe913c178e4 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
@400000004fce8fe913c17ccc 	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
@400000004fce8fe913c18884 	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
@400000004fce8fe913c18c6c 	at com.atlassian.labs.botkiller.BotKillerFilter.doFilter(BotKillerFilter.java:36)
@400000004fce8fe913c19054 	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
@400000004fce8fe913c1943c 	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
@400000004fce8fe913c19c0c 	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
@400000004fce8fe913c19ff4 	at com.atlassian.jira.tzdetect.IncludeResourcesFilter.doFilter(IncludeResourcesFilter.java:39)
@400000004fce8fe913c1af94 	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
@400000004fce8fe913c1b37c 	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
@400000004fce8fe913c1b764 	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
@400000004fce8fe913c1bb4c 	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:25)
@400000004fce8fe913c1c31c 	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
@400000004fce8fe913c1c704 	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
@400000004fce8fe913c1caec 	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
@400000004fce8fe913c1ced4 	at com.atlassian.agmp.integration.jira.ReprovisionConfigFilter.doFilter(ReprovisionConfigFilter.java:87)
@400000004fce8fe913c1d6a4 	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
@400000004fce8fe913c1da8c 	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
@400000004fce8fe913c2019c 	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
@400000004fce8fe913c20584 	at com.atlassian.agmp.gdata.servlet.GDataServiceErrorServletFilter.doFilter(GDataServiceErrorServletFilter.java:43)
@400000004fce8fe913c2096c 	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
@400000004fce8fe913c220dc 	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
@400000004fce8fe913c224c4 	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
@400000004fce8fe913c228ac 	at com.atlassian.studio.core.servlet.filter.AlacarteLicenseEnforcer.doFilter(AlacarteLicenseEnforcer.java:71)
@400000004fce8fe913c2307c 	at com.atlassian.studio.jira.servlet.filter.AlacarteLicenseJiraEnforcer.doFilter(AlacarteLicenseJiraEnforcer.java:122)
@400000004fce8fe913c23464 	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
@400000004fce8fe913c2384c 	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
@400000004fce8fe913c2401c 	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
@400000004fce8fe913c24fbc 	at com.atlassian.peace.AbstractPeacePageFilter.doFilter(AbstractPeacePageFilter.java:39)
@400000004fce8fe913c253a4 	at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)

      Attachments

        Activity

          People

            Unassigned Unassigned
            bbain bain
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: