Description of the issues, and details of the associated patch file:
1) Not compliant with 0.9 spec: http://www.opensocial.org/Technical-Resources/opensocial-spec-v09/Gadgets-API-Specification.html#rfc.section.3.4
Shindig uses include-urls, exclude-urls (note: plural) which are regular expressions
Specification use include-url, exclude-url which are case insensitive matches, plus it allows multiple occurrences of these tags.
Note: no effort to support minify for this patch
Fix: Alter the code to honor these tags. For backward compatibility the old "plural" tags are also accepted.
2) Throughout Shindig parameters "debug" and "nocache" have been used and honored for various requests. For the rewriters it is missing. "nocache" is obvious. "debug" is not used today, but could be used to support the minify options of the future.
Fix: Alter the rewriters to properly pass the debug and nocache from the HttpRequest or GadgetContext to the end URL.
3) The concat rewriter takes a list of URLs and rewrites them so that it does not exceed some max length. However the test was done after the appending which could lead to a URL that was too long.
Fix: Altered the algorithm so it will check the predicted length prior to appending.
4) The concat rewriter did not handle a gadget authors link that was originally too long.
Fix: Since concat is for the benefit of the gadget author (as opposed to security), original links that are too long are simply passed through without being rewritten.
5) The ConcatProxyServlet is vulnerable to response splitting: http://www.google.com/search?q=response+splitting+vulnerability&ie=utf-8
Fix: Check for \r \n in header
6) The concat rewriter (or concat servlet) did not do caching header correctly.
Fix: Borrowing from how the proxy rewriters did it, added the refresh parameter to the concat URL
1) Because: this is optional feature; and this costs resources server side, I felt that to allow a gadget author to include additional resources that were explicitly excluded by the original server config, or to allow the gadget author to extend the expires time beyond the original server config times would be an issue. Therefore added a configuration parameter to shindig properties "shindig.content-rewrite.only-allow-excludes=false", which when set to true will: disallow additional include-url(s); will honor the original exclude-urls; disallow an increase in expires time; not allow additional extensions to be cached.
2) There was some initial effort to allow the rewriters to be "guiced" into the code by using a protected method to create a proxying link rewriter, HTMLContentRewriter.createLinkRewriter() & CssRequestRewriter.createLinkRewriter(). However with 3 different types of link rewriters used across 4 files, plus who knows where else it will be used. This pattern of protected methods is not scalable. Chose to use a factory pattern for the 3 link rewriters.
Support for "nocache"
Fixes the response splitting vulnerability.
Also if "refresh" is not present, will explicitly send nocache headers.
An interface for the factory, default implementation of the factory, and the rewriter.
Sanitizing and Concat were generally extracted from their "inner class" definitions.
Fixed Concat to always include refresh on the URL
Needed to handle additional include/exclude tags, and new only-allow-excludes option.
Reuses some algorithms from the original, but is best reviewed as new code implementing the algorithms necessary to support the original and new features.
Refactored to use new factory pattern.
Needed a new accessor method
Unit Test Files:
Mods for use of the new Factory Pattern
Tests for debug and nocache
Test for only-allow-excludes
Concat now uses "refresh", added to tests
New file based on ContentRewriterFeatureTestCase.java, but uses the OpenSocial v 0.9 specification to perform the tests.
Added test for the splitting of concat rewrites into multiple concats.
Somehow the refresh time was "HTTP", rather than a valid integer! I changed this to a valid integer, and fixed the test standards. Additional added tests to specifically test when refresh is not a valid integer.
Added tests to ensure the ConcatRewriter will properly split the rewrite into different URLs.