REPO-2109 - Security: MNT-17475: WebDAV: SXSS+CSRF vulnerability in SSO environments

MNT-17475 - WebDAV: SXSS+CSRF vulnerability in SSO environments git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@135537 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-14 17:58:59 +00:00 · 2017-03-02 18:09:08 +00:00
parent 7892bcef02
commit 936c4972c3
1 changed files with 42 additions and 3 deletions
--- a/source/java/org/alfresco/repo/webdav/GetMethod.java
+++ b/source/java/org/alfresco/repo/webdav/GetMethod.java
@@ -54,6 +54,7 @@ import org.alfresco.service.cmr.repository.datatype.DefaultTypeConverter;
 import org.alfresco.service.cmr.repository.datatype.TypeConverter;
 import org.alfresco.service.namespace.QName;
 import org.springframework.extensions.surf.util.I18NUtil;
 import org.springframework.extensions.surf.util.URLEncoder;
 /**
 * Implements the WebDAV GET method
@@ -260,6 +261,8 @@ public class GetMethod extends WebDAVMethod
                m_response.setHeader(WebDAV.HEADER_LAST_MODIFIED, WebDAV.formatHeaderDate(modDate));
            }
            m_response.setHeader("Content-Disposition", getContentDispositionHeader(nodeInfo));
            ContentReader reader = fileFolderService.getReader(realNodeInfo.getNodeRef());
            // ensure that we generate something, even if the content is missing
            reader = FileContentReader.getSafeContentReader(
@@ -350,6 +353,42 @@ public class GetMethod extends WebDAVMethod
        }
    }
    protected String getContentDispositionHeader(FileInfo nodeInfo)
    {
        String filename = nodeInfo.getName();
        StringBuilder sb = new StringBuilder();
        sb.append("attachment; filename=\"");
        for(int i = 0; i < filename.length(); i++)
        {
            char c = filename.charAt(i);
            if(isValidQuotedStringHeaderParamChar(c))
            {
                sb.append(c);
            }
            else
            {
                sb.append(" ");
            }
        }
        sb.append("\"; filename*=UTF-8''");
        sb.append(URLEncoder.encode(filename));
        return sb.toString();
    }
    protected boolean isValidQuotedStringHeaderParamChar(char c)
    {
        // see RFC2616 section 2.2: 
        // qdtext         = <any TEXT except <">>
        // TEXT           = <any OCTET except CTLs, but including LWS>
        // CTL            = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
        // A CRLF is allowed in the definition of TEXT only as part of a header field continuation.
        // Note: we dis-allow header field continuation
        return     (c < 256)  // message header param fields must be ISO-8859-1. Lower 256 codepoints of Unicode represent ISO-8859-1
                && (c != 127) // CTL - see RFC2616 section 2.2
                && (c != '"') // <">
                && (c > 31);  // CTL - see RFC2616 section 2.2
    }
    /**
     * Checks the If header conditions
     *