inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged HEAD-BUG-FIX to HEAD (4.2)

Browse Source 
55497: Merged V4.1-BUG-FIX (4.1.7) to HEAD-BUG-FIX (4.2)
      55387: Fix for MNT-9628 - CLONE - uploadFileServlet return-page vulnerability javascript


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@55780 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
2013-09-20 20:48:03 +00:00
parent 54659289ea
commit 7e44580cb3
2 changed files with 34 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
source/java/org/alfresco/web/app/servlet/UploadFileServlet.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2005-2010 Alfresco Software Limited.
* Copyright (C) 2005-2013 Alfresco Software Limited.
*
* This file is part of Alfresco
*
@@ -14,7 +14,8 @@
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. */
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.web.app.servlet;
import java.io.File;
@@ -45,6 +46,8 @@ import org.apache.commons.fileupload.servlet.ServletRequestContext;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.json.JSONException;
import org.json.JSONObject;
import org.springframework.extensions.config.ConfigService;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
@@ -177,25 +180,36 @@ public class UploadFileServlet extends BaseServlet
throw new AlfrescoRuntimeException("return-page parameter has not been supplied");
}
if (returnPage.startsWith("javascript:"))
JSONObject json;
try
{
returnPage = returnPage.substring("javascript:".length());
// finally redirect
if (logger.isDebugEnabled())
{
logger.debug("Sending back javascript response " + returnPage);
}
response.setContentType(MimetypeMap.MIMETYPE_HTML);
response.setCharacterEncoding("utf-8");
// work-around for WebKit protection against embedded javascript on POST body response
response.setHeader("X-XSS-Protection", "0");
final PrintWriter out = response.getWriter();
out.println("<html><body><script type=\"text/javascript\">");
out.println(returnPage);
out.println("</script></body></html>");
out.close();
json = new JSONObject(returnPage);
if (json.has("id") && json.has("args"))
{
// finally redirect
if (logger.isDebugEnabled())
{
logger.debug("Sending back javascript response " + returnPage);
}
response.setContentType(MimetypeMap.MIMETYPE_HTML);
response.setCharacterEncoding("utf-8");
// work-around for WebKit protection against embedded javascript on POST body response
response.setHeader("X-XSS-Protection", "0");
final PrintWriter out = response.getWriter();
out.println("<html><body><script type=\"text/javascript\">");
out.println("window.parent.upload_complete_helper(");
out.println("'" + json.getString("id") + "'");
out.println(", ");
out.println(json.getJSONObject("args"));
out.println(");");
out.println("</script></body></html>");
out.close();
}
}
else
catch (JSONException e)
{
// finally redirect
if (logger.isDebugEnabled())