mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
Merged HEAD-BUG-FIX to HEAD (4.2)
55497: Merged V4.1-BUG-FIX (4.1.7) to HEAD-BUG-FIX (4.2)
55387: Fix for MNT-9628 - CLONE - uploadFileServlet return-page vulnerability javascript
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@55780 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (C) 2005-2010 Alfresco Software Limited.
|
* Copyright (C) 2005-2013 Alfresco Software Limited.
|
||||||
*
|
*
|
||||||
* This file is part of Alfresco
|
* This file is part of Alfresco
|
||||||
*
|
*
|
||||||
@@ -14,7 +14,8 @@
|
|||||||
* GNU Lesser General Public License for more details.
|
* GNU Lesser General Public License for more details.
|
||||||
*
|
*
|
||||||
* You should have received a copy of the GNU Lesser General Public License
|
* You should have received a copy of the GNU Lesser General Public License
|
||||||
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>. */
|
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
package org.alfresco.web.app.servlet;
|
package org.alfresco.web.app.servlet;
|
||||||
|
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
@@ -45,6 +46,8 @@ import org.apache.commons.fileupload.servlet.ServletRequestContext;
|
|||||||
import org.apache.commons.io.FilenameUtils;
|
import org.apache.commons.io.FilenameUtils;
|
||||||
import org.apache.commons.logging.Log;
|
import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
import org.json.JSONException;
|
||||||
|
import org.json.JSONObject;
|
||||||
import org.springframework.extensions.config.ConfigService;
|
import org.springframework.extensions.config.ConfigService;
|
||||||
import org.springframework.web.context.WebApplicationContext;
|
import org.springframework.web.context.WebApplicationContext;
|
||||||
import org.springframework.web.context.support.WebApplicationContextUtils;
|
import org.springframework.web.context.support.WebApplicationContextUtils;
|
||||||
@@ -177,25 +180,36 @@ public class UploadFileServlet extends BaseServlet
|
|||||||
throw new AlfrescoRuntimeException("return-page parameter has not been supplied");
|
throw new AlfrescoRuntimeException("return-page parameter has not been supplied");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (returnPage.startsWith("javascript:"))
|
JSONObject json;
|
||||||
|
try
|
||||||
{
|
{
|
||||||
returnPage = returnPage.substring("javascript:".length());
|
json = new JSONObject(returnPage);
|
||||||
// finally redirect
|
|
||||||
if (logger.isDebugEnabled())
|
if (json.has("id") && json.has("args"))
|
||||||
{
|
{
|
||||||
logger.debug("Sending back javascript response " + returnPage);
|
// finally redirect
|
||||||
}
|
if (logger.isDebugEnabled())
|
||||||
response.setContentType(MimetypeMap.MIMETYPE_HTML);
|
{
|
||||||
response.setCharacterEncoding("utf-8");
|
logger.debug("Sending back javascript response " + returnPage);
|
||||||
// work-around for WebKit protection against embedded javascript on POST body response
|
}
|
||||||
response.setHeader("X-XSS-Protection", "0");
|
response.setContentType(MimetypeMap.MIMETYPE_HTML);
|
||||||
final PrintWriter out = response.getWriter();
|
response.setCharacterEncoding("utf-8");
|
||||||
out.println("<html><body><script type=\"text/javascript\">");
|
// work-around for WebKit protection against embedded javascript on POST body response
|
||||||
out.println(returnPage);
|
response.setHeader("X-XSS-Protection", "0");
|
||||||
out.println("</script></body></html>");
|
final PrintWriter out = response.getWriter();
|
||||||
out.close();
|
out.println("<html><body><script type=\"text/javascript\">");
|
||||||
|
|
||||||
|
out.println("window.parent.upload_complete_helper(");
|
||||||
|
out.println("'" + json.getString("id") + "'");
|
||||||
|
out.println(", ");
|
||||||
|
out.println(json.getJSONObject("args"));
|
||||||
|
out.println(");");
|
||||||
|
|
||||||
|
out.println("</script></body></html>");
|
||||||
|
out.close();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else
|
catch (JSONException e)
|
||||||
{
|
{
|
||||||
// finally redirect
|
// finally redirect
|
||||||
if (logger.isDebugEnabled())
|
if (logger.isDebugEnabled())
|
||||||
|
|||||||
@@ -65,8 +65,7 @@ function handle_upload_helper(fileInputElement,
|
|||||||
w.upload_complete_helper = window.upload_complete_helper;
|
w.upload_complete_helper = window.upload_complete_helper;
|
||||||
}
|
}
|
||||||
|
|
||||||
rp.value = "javascript:window.parent.upload_complete_helper('" + uploadId +
|
rp.value = "{id: '" + uploadId + "', args: {error: '${_UPLOAD_ERROR}', fileTypeImage: '${_FILE_TYPE_IMAGE}'}}";
|
||||||
"',{error: '${_UPLOAD_ERROR}', fileTypeImage: '${_FILE_TYPE_IMAGE}'})";
|
|
||||||
|
|
||||||
form.submit();
|
form.submit();
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user