OF-2893: Warn administrator when a wildcard pattern is loaded (but wi…

…ldcards are disabled)
Fishbowler · Oct 20, 2024 · 8401af5 · 8401af5
1 parent cfda1ef
commit 8401af5
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/i18n/src/main/resources/openfire_i18n.properties b/i18n/src/main/resources/openfire_i18n.properties
@@ -2824,6 +2824,7 @@ plugin.admin.failed.minJavaVersion=The plugin requires Java specification versio
 plugin.admin.failed.missingParent=The plugin requires another plugin, named {0}, that currently is not installed.
 plugin.admin.failed.databaseScript=A plugin database install or update script failed. Review the logs for additional details.
 plugin.admin.failed.unknown=An exception occurred while loading plugin. Review the logs for additional details.
+plugin.admin.wildcards-exists=A plugin has loaded admin console authentication bypass patterns that includes a wildcard, but the System Property 'adminConsole.access.allow-wildcards-in-excludes' is disabled.
 
 # System Admin Console access
 system.admin.console.access.title=Admin Console Access

diff --git a/xmppserver/src/main/java/org/jivesoftware/admin/AuthCheckFilter.java b/xmppserver/src/main/java/org/jivesoftware/admin/AuthCheckFilter.java
@@ -184,6 +184,13 @@ public static void removeExclude(String exclude) {
         excludes.remove(exclude);
     }
 
+    /**
+     * Indicates to the caller whether any of the currently loaded exclusions contains a wildcard
+     */
+    public static boolean excludesIncludeWildcards() {
+        return excludes.stream().anyMatch(e -> e.contains("*"));
+    }
+
     /**
      * Returns true if a URL passes an exclude rule.
      *

diff --git a/xmppserver/src/main/webapp/plugin-admin.jsp b/xmppserver/src/main/webapp/plugin-admin.jsp
@@ -23,6 +23,7 @@
                  org.apache.commons.fileupload.disk.DiskFileItemFactory,
                  org.apache.commons.fileupload.servlet.ServletFileUpload"
         %>
+<%@ page import="org.jivesoftware.admin.AuthCheckFilter" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.openfire.container.PluginManager" %>
 <%@ page import="org.jivesoftware.openfire.update.UpdateManager" %>
@@ -369,6 +370,11 @@ tr.lowerhalf > td:last-child {
             <fmt:message key="plugin.admin.monitortask_running" />
         </admin:infobox>
     </c:if>
+    <c:if test="${ AuthCheckFilter.excludesIncludeWildcards() && !AuthCheckFilter.ALLOW_WILDCARDS_IN_EXCLUDES.getValue() }">
+        <admin:infobox type="warning">
+            <fmt:message key="plugin.admin.wildcards-exists" />
+        </admin:infobox>
+    </c:if>
     <p>
     <fmt:message key="plugin.admin.info"/>
 </p>