REPO-2112 - Security: MNT-17545: HTTP Header Injection in ContentStreamer

MNT-17545 - HTTP Header Injection in ContentStreamer git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@135560 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-14 17:58:59 +00:00 · 2017-03-03 10:43:55 +00:00
parent 936c4972c3
commit 7ea9dee0b1
1 changed files with 34 additions and 2 deletions
--- a/source/java/org/alfresco/repo/web/scripts/content/ContentStreamer.java
+++ b/source/java/org/alfresco/repo/web/scripts/content/ContentStreamer.java
@@ -477,7 +477,7 @@ public class ContentStreamer implements ResourceLoaderAware
                if (req == null)
                {
                    headerValue += "; filename*=UTF-8''" + URLEncoder.encode(attachFileName)
-                            + "; filename=\"" + attachFileName + "\"";
+                            + "; filename=\"" + filterNameForQuotedString(attachFileName) + "\"";
                }
                else
                {
@@ -489,7 +489,7 @@ public class ContentStreamer implements ResourceLoaderAware
                    }
                    else
                    {
-                        headerValue += "; filename=\"" + attachFileName + "\"; filename*=UTF-8''"
+                        headerValue += "; filename=\"" + filterNameForQuotedString(attachFileName) + "\"; filename*=UTF-8''"
                                + URLEncoder.encode(attachFileName);
                    }
                }
@@ -500,6 +500,38 @@ public class ContentStreamer implements ResourceLoaderAware
            res.setHeader("Content-Disposition", headerValue);
        }
    }
+    
+    protected String filterNameForQuotedString(String s)
+    {
+        StringBuilder sb = new StringBuilder();
+        for(int i = 0; i < s.length(); i++)
+        {
+            char c = s.charAt(i);
+            if(isValidQuotedStringHeaderParamChar(c))
+            {
+                sb.append(c);
+            }
+            else
+            {
+                sb.append(" ");
+            }
+        }
+        return sb.toString();
+    }
+    
+    protected boolean isValidQuotedStringHeaderParamChar(char c)
+    {
+        // see RFC2616 section 2.2: 
+        // qdtext         = <any TEXT except <">>
+        // TEXT           = <any OCTET except CTLs, but including LWS>
+        // CTL            = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
+        // A CRLF is allowed in the definition of TEXT only as part of a header field continuation.
+        // Note: we dis-allow header field continuation
+        return     (c < 256)  // message header param fields must be ISO-8859-1. Lower 256 codepoints of Unicode represent ISO-8859-1
+                && (c != 127) // CTL - see RFC2616 section 2.2
+                && (c != '"') // <">
+                && (c > 31);  // CTL - see RFC2616 section 2.2
+    }

    /**
     * Set the cache settings on the response