Merged 5.2.N (5.2.2) to HEAD (5.2)

135560 skopf: REPO-2112 - Security: MNT-17545: HTTP Header Injection in ContentStreamer MNT-17545 - HTTP Header Injection in ContentStreamer git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@137399 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-14 17:58:59 +00:00 · 2017-06-14 17:06:56 +00:00
parent 4b23014fee
commit 25c8c95298
1 changed files with 34 additions and 2 deletions
--- a/source/java/org/alfresco/repo/web/scripts/content/ContentStreamer.java
+++ b/source/java/org/alfresco/repo/web/scripts/content/ContentStreamer.java
@@ -477,7 +477,7 @@ public class ContentStreamer implements ResourceLoaderAware
                if (req == null)
                {
                    headerValue += "; filename*=UTF-8''" + URLEncoder.encode(attachFileName)
-                            + "; filename=\"" + attachFileName + "\"";
+                            + "; filename=\"" + filterNameForQuotedString(attachFileName) + "\"";
                }
                else
                {
@@ -489,7 +489,7 @@ public class ContentStreamer implements ResourceLoaderAware
                    }
                    else
                    {
-                        headerValue += "; filename=\"" + attachFileName + "\"; filename*=UTF-8''"
+                        headerValue += "; filename=\"" + filterNameForQuotedString(attachFileName) + "\"; filename*=UTF-8''"
                                + URLEncoder.encode(attachFileName);
                    }
                }
@@ -501,6 +501,38 @@ public class ContentStreamer implements ResourceLoaderAware
        }
    }
    
+    protected String filterNameForQuotedString(String s)
+    {
+        StringBuilder sb = new StringBuilder();
+        for(int i = 0; i < s.length(); i++)
+        {
+            char c = s.charAt(i);
+            if(isValidQuotedStringHeaderParamChar(c))
+            {
+                sb.append(c);
+            }
+            else
+            {
+                sb.append(" ");
+            }
+        }
+        return sb.toString();
+    }
+    
+    protected boolean isValidQuotedStringHeaderParamChar(char c)
+    {
+        // see RFC2616 section 2.2: 
+        // qdtext         = <any TEXT except <">>
+        // TEXT           = <any OCTET except CTLs, but including LWS>
+        // CTL            = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
+        // A CRLF is allowed in the definition of TEXT only as part of a header field continuation.
+        // Note: we dis-allow header field continuation
+        return     (c < 256)  // message header param fields must be ISO-8859-1. Lower 256 codepoints of Unicode represent ISO-8859-1
+                && (c != 127) // CTL - see RFC2616 section 2.2
+                && (c != '"') // <">
+                && (c > 31);  // CTL - see RFC2616 section 2.2
+    }
+
    /**
     * Set the cache settings on the response
     *