inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-14 17:58:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

REPO-2109 - Security: MNT-17475: WebDAV: SXSS+CSRF vulnerability in SSO environments

Browse Source 
MNT-17475 - WebDAV: SXSS+CSRF vulnerability in SSO environments

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@135537 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Stefan Kopf
2017-03-02 18:09:08 +00:00
parent 7892bcef02
commit 936c4972c3
1 changed files with 42 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
source/java/org/alfresco/repo/webdav/GetMethod.java
View File

@@ -35,9 +35,9 @@ import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import java.util.StringTokenizer;
import javax.servlet.http.HttpServletResponse;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.content.filestore.FileContentReader;
import org.alfresco.repo.web.util.HttpRangeProcessor;
@@ -54,6 +54,7 @@ import org.alfresco.service.cmr.repository.datatype.DefaultTypeConverter;
import org.alfresco.service.cmr.repository.datatype.TypeConverter;
import org.alfresco.service.namespace.QName;
import org.springframework.extensions.surf.util.I18NUtil;
import org.springframework.extensions.surf.util.URLEncoder;
/**
* Implements the WebDAV GET method
@@ -258,7 +259,9 @@ public class GetMethod extends WebDAVMethod
{
long modDate = DefaultTypeConverter.INSTANCE.longValue(modifiedDate);
m_response.setHeader(WebDAV.HEADER_LAST_MODIFIED, WebDAV.formatHeaderDate(modDate));
}
}
m_response.setHeader("Content-Disposition", getContentDispositionHeader(nodeInfo));
ContentReader reader = fileFolderService.getReader(realNodeInfo.getNodeRef());
// ensure that we generate something, even if the content is missing
@@ -349,6 +352,42 @@ public class GetMethod extends WebDAVMethod
}
}
}
protected String getContentDispositionHeader(FileInfo nodeInfo)
{
String filename = nodeInfo.getName();
StringBuilder sb = new StringBuilder();
sb.append("attachment; filename=\"");
for(int i = 0; i < filename.length(); i++)
{
char c = filename.charAt(i);
if(isValidQuotedStringHeaderParamChar(c))
{
sb.append(c);
}
else
{
sb.append(" ");
}
}
sb.append("\"; filename*=UTF-8''");
sb.append(URLEncoder.encode(filename));
return sb.toString();
}
protected boolean isValidQuotedStringHeaderParamChar(char c)
{
// see RFC2616 section 2.2:
// qdtext = <any TEXT except <">>
// TEXT = <any OCTET except CTLs, but including LWS>
// CTL = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
// A CRLF is allowed in the definition of TEXT only as part of a header field continuation.
// Note: we dis-allow header field continuation
return (c < 256) // message header param fields must be ISO-8859-1. Lower 256 codepoints of Unicode represent ISO-8859-1
&& (c != 127) // CTL - see RFC2616 section 2.2
&& (c != '"') // <">
&& (c > 31); // CTL - see RFC2616 section 2.2
}
/**
* Checks the If header conditions