package org.owasp.webgoat; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.WebSession; /** * Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web * Application Security Project (http://www.owasp.org) This software package is published by OWASP * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * * @author Jeff Williams Aspect Security * @created October 28, 2003 */ public class LessonSource extends HammerHead { /** * Description of the Field */ //protected WebSession tempSession; public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE"; /** * Description of the Method * * @param request Description of the Parameter * @param response Description of the Parameter * @exception IOException Description of the Exception * @exception ServletException Description of the Exception */ public void doPost( HttpServletRequest request, HttpServletResponse response ) throws IOException, ServletException { String source = null; try { //System.out.println( "Entering doPost: " ); //System.out.println( " - request " + request); //System.out.println( " - principle: " + request.getUserPrincipal() ); //setCacheHeaders(response, 0); WebSession session = (WebSession) request.getSession( true ).getAttribute( WebSession.SESSION ); session.update(request, response, this.getServletName()); // FIXME: Too much in this call. // Get the Java source of the lesson. FIXME: Not needed source = getSource( session ); int scr = session.getCurrentScreen(); Course course = session.getCourse(); AbstractLesson lesson = course.getLesson( session, scr, AbstractLesson.USER_ROLE ); lesson.getLessonTracker( session ).setViewedSource(true); } catch ( Throwable t ) { t.printStackTrace(); log( "ERROR: " + t ); } finally { try { this.writeSource(source, response ); } catch ( Throwable thr ) { thr.printStackTrace(); log( request, "Could not write error screen: " + thr.getMessage() ); } //System.out.println( "Leaving doPost: " ); } } protected WebSession updateSession_DELETEME( HttpServletRequest request, HttpServletResponse response, ServletContext context ) { HttpSession hs; hs = request.getSession( true ); //System.out.println( "Entering Session_id: " + hs.getId() ); // dumpSession( hs ); // Make a temporary session to avoid the concurreny issue // in WebSession WebSession session = new WebSession( this, context ); WebSession realSession = null; Object o = hs.getAttribute( WebSession.SESSION ); if ( ( o != null ) && o instanceof WebSession ) { realSession = (WebSession) o; } session.setCurrentScreen( realSession.getCurrentScreen()); session.setCourse( realSession.getCourse() ); session.setRequest( request ); // to authenticate //System.out.println( "Leaving Session_id: " + hs.getId() ); //dumpSession( hs ); return ( session ); } /** * Description of the Method * * @param s Description of the Parameter * @return Description of the Return Value */ protected String getSource( WebSession s ) { String source = null; int scr = s.getCurrentScreen(); Course course = s.getCourse(); if ( s.isUser() || s.isChallenge() ) { AbstractLesson lesson = course.getLesson( s, scr, AbstractLesson.USER_ROLE ); if ( lesson != null ) { source = lesson.getSource(s); } } if ( source == null ) { return "Source code is not available. Contact webgoat@aspectsecurity.com"; } return ( source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, "Code Section Deliberately Omitted") ); } /** * Description of the Method * * @param s Description of the Parameter * @param response Description of the Parameter * @exception IOException Description of the Exception */ protected void writeSource( String s, HttpServletResponse response ) throws IOException { response.setContentType( "text/html" ); PrintWriter out = response.getWriter(); if ( s == null ) { s = new String(); } out.print(s); out.close(); } }