inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-14 17:58:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged 5.2.N (5.2.2) to HEAD (5.2)

Browse Source 
135560 skopf: REPO-2112 - Security: MNT-17545: HTTP Header Injection in ContentStreamer
   MNT-17545 - HTTP Header Injection in ContentStreamer


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@137399 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Andrei Rebegea
2017-06-14 17:06:56 +00:00
parent 4b23014fee
commit 25c8c95298
1 changed files with 34 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
source/java/org/alfresco/repo/web/scripts/content/ContentStreamer.java
View File

@@ -477,7 +477,7 @@ public class ContentStreamer implements ResourceLoaderAware
if (req == null) if (req == null)
{ {
headerValue += "; filename*=UTF-8''" + URLEncoder.encode(attachFileName) headerValue += "; filename*=UTF-8''" + URLEncoder.encode(attachFileName)
+ "; filename=\"" + attachFileName + "\""; + "; filename=\"" + filterNameForQuotedString(attachFileName) + "\"";
} }
else else
{ {
@@ -489,7 +489,7 @@ public class ContentStreamer implements ResourceLoaderAware
} }
else else
{ {
headerValue += "; filename=\"" + attachFileName + "\"; filename*=UTF-8''" headerValue += "; filename=\"" + filterNameForQuotedString(attachFileName) + "\"; filename*=UTF-8''"
+ URLEncoder.encode(attachFileName); + URLEncoder.encode(attachFileName);
} }
} }
@@ -501,6 +501,38 @@ public class ContentStreamer implements ResourceLoaderAware
} }
} }
protected String filterNameForQuotedString(String s)
{
StringBuilder sb = new StringBuilder();
for(int i = 0; i < s.length(); i++)
{
char c = s.charAt(i);
if(isValidQuotedStringHeaderParamChar(c))
{
sb.append(c);
}
else
{
sb.append(" ");
}
}
return sb.toString();
}
protected boolean isValidQuotedStringHeaderParamChar(char c)
{
// see RFC2616 section 2.2:
// qdtext = <any TEXT except <">>
// TEXT = <any OCTET except CTLs, but including LWS>
// CTL = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
// A CRLF is allowed in the definition of TEXT only as part of a header field continuation.
// Note: we dis-allow header field continuation
return (c < 256) // message header param fields must be ISO-8859-1. Lower 256 codepoints of Unicode represent ISO-8859-1
&& (c != 127) // CTL - see RFC2616 section 2.2
&& (c != '"') // <">
&& (c > 31); // CTL - see RFC2616 section 2.2
}
/** /**
* Set the cache settings on the response * Set the cache settings on the response
* *