Merge pull request #3735 from ritzalam/fix-issue-3245

Fix issue #3245

bbb-common-web/build.sbt

@@ -31,7 +31,10 @@ libraryDependencies +=  "org.scala-lang"    %   "scala-compiler"      % scalaV
 libraryDependencies +=  "org.scala-lang"    %   "scala-library"       % scalaV
 libraryDependencies +=  "org.scala-lang"    %   "scala-reflect"       % scalaV
 
-libraryDependencies += "commons-lang" % "commons-lang" % "2.5"
+// https://mvnrepository.com/artifact/org.apache.commons/commons-lang3
+libraryDependencies += "org.apache.commons" % "commons-lang3" % "3.5"
+
+
 libraryDependencies += "commons-io" % "commons-io" % "2.4"
 libraryDependencies += "org.freemarker" % "freemarker" % "2.3.23"
 libraryDependencies += "com.fasterxml.jackson.dataformat" % "jackson-dataformat-xml" % "2.6.3"

bbb-common-web/src/main/java/org/bigbluebutton/api/domain/Meeting.java

@@ -22,7 +22,7 @@ package org.bigbluebutton.api.domain;
 import java.util.*;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
-import org.apache.commons.lang.RandomStringUtils;
+import org.apache.commons.lang3.RandomStringUtils;
 
 
 public class Meeting {

bbb-common-web/src/main/java/org/bigbluebutton/api/util/ParamsUtil.java

@@ -0,0 +1,26 @@
+package org.bigbluebutton.api.util;
+
+
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+public class ParamsUtil {
+  private static final Pattern VALID_ID_PATTERN = Pattern.compile("[a-zA-Z][a-zA-Z0-9- ]*$");
+
+  public static final String invalidChars = ",";
+
+  public static String stripControlChars(String text) {
+    return text.replaceAll("\\p{Cc}", "");
+  }
+
+  public static boolean isValidMeetingId(String meetingId) {
+    //return  VALID_ID_PATTERN.matcher(meetingId).matches();
+    return !containsChar(meetingId, invalidChars);
+  }
+
+  public static boolean containsChar(String text, String chars) {
+    return StringUtils.containsAny(text, chars);
+  }
+}

bbb-common-web/src/main/java/org/bigbluebutton/api/util/ResponseBuilder.java

@@ -1,7 +1,7 @@
 package org.bigbluebutton.api.util;
 
 import org.bigbluebutton.api.domain.Meeting;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 
 import java.io.File;
 import java.io.IOException;

bbb-common-web/src/test/scala/org/bigbluebutton/api/util/ParamsUtilTest.scala

@@ -0,0 +1,23 @@
+package org.bigbluebutton.api.util
+
+import org.scalatest._
+
+class ParamsUtilTest extends UnitSpec {
+
+  it should "strip out control chars from text" in {
+    val text = "a\u0000b\u0007c\u008fd"
+    val cleaned = ParamsUtil.stripControlChars(text)
+    assert("abcd" == cleaned)
+  }
+
+  it should "complain about invalid chars in meetingId" in {
+    val meetingId = "Demo , Meeting"
+    assert(ParamsUtil.isValidMeetingId(meetingId) == false)
+  }
+
+  it should "accept valid chars in meetingId" in {
+    val meetingId = "Demo Meeting - 123"
+    assert(ParamsUtil.isValidMeetingId(meetingId) == true)
+  }
+
+}

bigbluebutton-web/build.gradle

@@ -16,8 +16,7 @@ dependencies {
   //redis
     compile 'redis.clients:jedis:2.7.2'
     compile 'org.apache.commons:commons-pool2:2.3'
-  
-	compile 'commons-lang:commons-lang:2.5'
+
 	compile 'commons-io:commons-io:2.4'
     compile 'commons-codec:commons-codec:1.10'
     compile 'com.google.code.gson:gson:1.7.1'

bigbluebutton-web/src/java/org/bigbluebutton/api/ApiErrors.java

@@ -68,6 +68,10 @@ public class ApiErrors {
 		errors.add(new String[] {"maxParticipantsReached", "The number of participants allowed for this meeting has been reached."});
 	}
 
+	public void addError(String[] error) {
+		errors.add(error);
+	}
+
 	public boolean hasErrors() {
 		return errors.size() > 0;
 	}

bigbluebutton-web/src/java/org/bigbluebutton/api/ParamsProcessorUtil.java

@@ -37,6 +37,7 @@ import org.apache.commons.codec.digest.DigestUtils;
 import org.apache.commons.lang.RandomStringUtils;
 import org.apache.commons.lang.StringUtils;
 import org.bigbluebutton.api.domain.Meeting;
+import org.bigbluebutton.api.util.ParamsUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.apache.commons.httpclient.*;
@@ -103,9 +104,14 @@ public class ParamsProcessorUtil {
 
         // Do we have a meeting id? If not, complain.
         if(!StringUtils.isEmpty(params.get("meetingID"))) {
-            if (StringUtils.isEmpty(StringUtils.strip(params.get("meetingID")))) {
+        	  String meetingId = StringUtils.strip(params.get("meetingID"));
+            if (StringUtils.isEmpty(meetingId)) {
                 errors.missingParamError("meetingID");
-            }
+            } else {
+            	if (! ParamsUtil.isValidMeetingId(meetingId)) {
+								errors.addError(new String[] {"invalidFormat", "Meeting id contains invalid characters."});
+							}
+						}
         } else {
             errors.missingParamError("meetingID");
         }
@@ -290,10 +296,14 @@ public class ParamsProcessorUtil {
 	}
 	
     public Meeting processCreateParams(Map<String, String> params) {
+
         String meetingName = params.get("name");
         if (meetingName == null) {
             meetingName = "";
         }
+
+        meetingName = ParamsUtil.stripControlChars(meetingName);
+
         String externalMeetingId = params.get("meetingID");
 
         String viewerPass = processPassword(params.get("attendeePW"));