inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-14 17:58:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

REPO-2110 / MNT-17477: CMIS: SXSS+CSRF vulnerability (browser binding)

Browse Source 
- force download=attachment (Content-Disposition headers) for all content types except those white-listed (eg. pdf & specific img types)
- follow-on for r135606 to fix fallout caught by TestPublicApiBrowser11TCK.testCMISTCKQuery()

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@135620 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Jan Vonka
2017-03-06 13:26:30 +00:00
parent 123e67a055
commit 33d670788f
1 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
source/java/org/alfresco/opencmis/CMISHttpServletResponse.java
View File

@@ -51,7 +51,10 @@ public class CMISHttpServletResponse implements HttpServletResponse
protected Set<String> nonAttachContentTypes = Collections.emptySet(); // pre-configured whitelist, eg. images & pdf
private final static String HDR_CONTENT_DISPOSITION = "Content-Disposition";
private final static String ATTACHMENT = "attachment";
private final static String INLINE = "inline";
public CMISHttpServletResponse(WebScriptResponse res, Set<String> nonAttachContentTypes)
{
httpResp = WebScriptServletRuntime.getHttpServletResponse(res);
@@ -135,6 +138,8 @@ public class CMISHttpServletResponse implements HttpServletResponse
{
httpResp.addHeader(name, getStringHeaderValue(name, value, httpResp.getContentType()));
}
private String getStringHeaderValue(String name, String value, String contentType)
{
@@ -142,14 +147,14 @@ public class CMISHttpServletResponse implements HttpServletResponse
{
if (! nonAttachContentTypes.contains(contentType))
{
if (value.startsWith("inline"))
if (value.startsWith(INLINE))
{
// force attachment
value = value.replace("inline", "attachment");
value = ATTACHMENT+value.substring(INLINE.length());
}
else if (! value.startsWith("attachment"))
else if (! value.startsWith(ATTACHMENT))
{
throw new AlfrescoRuntimeException("Unexpected - attachment header could not be set: "+name+" = "+value);
throw new AlfrescoRuntimeException("Unexpected - header could not be set: "+name+" = "+value);
}
}
}