From 25c8c952983a59cc7d1cfc26e9cf6bede9f40945 Mon Sep 17 00:00:00 2001
From: Andrei Rebegea <andrei.rebegea@ness.com>
Date: Wed, 14 Jun 2017 17:06:56 +0000
Subject: [PATCH] Merged 5.2.N (5.2.2) to HEAD (5.2)    135560 skopf: REPO-2112
 - Security: MNT-17545: HTTP Header Injection in ContentStreamer    MNT-17545
 - HTTP Header Injection in ContentStreamer

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@137399 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../web/scripts/content/ContentStreamer.java  | 36 +++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/source/java/org/alfresco/repo/web/scripts/content/ContentStreamer.java b/source/java/org/alfresco/repo/web/scripts/content/ContentStreamer.java
index e3db7a07e6..f75119c38a 100644
--- a/source/java/org/alfresco/repo/web/scripts/content/ContentStreamer.java
+++ b/source/java/org/alfresco/repo/web/scripts/content/ContentStreamer.java
@@ -477,7 +477,7 @@ public class ContentStreamer implements ResourceLoaderAware
                 if (req == null)
                 {
                     headerValue += "; filename*=UTF-8''" + URLEncoder.encode(attachFileName)
-                            + "; filename=\"" + attachFileName + "\"";
+                            + "; filename=\"" + filterNameForQuotedString(attachFileName) + "\"";
                 }
                 else
                 {
@@ -489,7 +489,7 @@ public class ContentStreamer implements ResourceLoaderAware
                     }
                     else
                     {
-                        headerValue += "; filename=\"" + attachFileName + "\"; filename*=UTF-8''"
+                        headerValue += "; filename=\"" + filterNameForQuotedString(attachFileName) + "\"; filename*=UTF-8''"
                                 + URLEncoder.encode(attachFileName);
                     }
                 }
@@ -500,6 +500,38 @@ public class ContentStreamer implements ResourceLoaderAware
             res.setHeader("Content-Disposition", headerValue);
         }
     }
+    
+    protected String filterNameForQuotedString(String s)
+    {
+        StringBuilder sb = new StringBuilder();
+        for(int i = 0; i < s.length(); i++)
+        {
+            char c = s.charAt(i);
+            if(isValidQuotedStringHeaderParamChar(c))
+            {
+                sb.append(c);
+            }
+            else
+            {
+                sb.append(" ");
+            }
+        }
+        return sb.toString();
+    }
+    
+    protected boolean isValidQuotedStringHeaderParamChar(char c)
+    {
+        // see RFC2616 section 2.2: 
+        // qdtext         = <any TEXT except <">>
+        // TEXT           = <any OCTET except CTLs, but including LWS>
+        // CTL            = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
+        // A CRLF is allowed in the definition of TEXT only as part of a header field continuation.
+        // Note: we dis-allow header field continuation
+        return     (c < 256)  // message header param fields must be ISO-8859-1. Lower 256 codepoints of Unicode represent ISO-8859-1
+                && (c != 127) // CTL - see RFC2616 section 2.2
+                && (c != '"') // <">
+                && (c > 31);  // CTL - see RFC2616 section 2.2
+    }
 
     /**
      * Set the cache settings on the response