Merged HEAD-BUG-FIX to HEAD (4.2)

55497: Merged V4.1-BUG-FIX (4.1.7) to HEAD-BUG-FIX (4.2) 55387: Fix for MNT-9628 - CLONE - uploadFileServlet return-page vulnerability javascript git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@55780 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-07 17:49:17 +00:00 · 2013-09-20 20:48:03 +00:00
parent 54659289ea
commit 7e44580cb3
2 changed files with 34 additions and 21 deletions
--- a/source/java/org/alfresco/web/app/servlet/UploadFileServlet.java
+++ b/source/java/org/alfresco/web/app/servlet/UploadFileServlet.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2010 Alfresco Software Limited.
+ * Copyright (C) 2005-2013 Alfresco Software Limited.
 *
 * This file is part of Alfresco
 *
@@ -14,7 +14,8 @@
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see <http://www.gnu.org/licenses/>. */
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
 package org.alfresco.web.app.servlet;

 import java.io.File;
@@ -45,6 +46,8 @@ import org.apache.commons.fileupload.servlet.ServletRequestContext;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.json.JSONException;
+import org.json.JSONObject;
 import org.springframework.extensions.config.ConfigService;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
@@ -177,9 +180,13 @@ public class UploadFileServlet extends BaseServlet
            throw new AlfrescoRuntimeException("return-page parameter has not been supplied");
         }
         
-         if (returnPage.startsWith("javascript:"))
+         JSONObject json;
+         try
+         {
+             json = new JSONObject(returnPage);
+             
+             if (json.has("id") && json.has("args"))
             {
-            returnPage = returnPage.substring("javascript:".length());
                // finally redirect
                if (logger.isDebugEnabled())
                {
@@ -191,11 +198,18 @@ public class UploadFileServlet extends BaseServlet
                response.setHeader("X-XSS-Protection", "0");
                final PrintWriter out = response.getWriter();
                out.println("<html><body><script type=\"text/javascript\">");
-            out.println(returnPage);
+                
+                out.println("window.parent.upload_complete_helper(");
+                out.println("'" + json.getString("id") + "'");
+                out.println(", ");
+                out.println(json.getJSONObject("args"));
+                out.println(");");
+                
                out.println("</script></body></html>");
                out.close();
             }
-         else
+         }
+         catch (JSONException e)
         {
            // finally redirect
            if (logger.isDebugEnabled())
--- a/source/web/scripts/upload_helper.js
+++ b/source/web/scripts/upload_helper.js
@@ -65,8 +65,7 @@ function handle_upload_helper(fileInputElement,
    w.upload_complete_helper = window.upload_complete_helper;
  }

-  rp.value = "javascript:window.parent.upload_complete_helper('" + uploadId + 
-    "',{error: '${_UPLOAD_ERROR}', fileTypeImage: '${_FILE_TYPE_IMAGE}'})";
+  rp.value = "{id: '" + uploadId + "', args: {error: '${_UPLOAD_ERROR}', fileTypeImage: '${_FILE_TYPE_IMAGE}'}}";

  form.submit();
 }