inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-14 17:58:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged 5.2.N (5.2.2) to HEAD (5.2)

Browse Source 
135606 jvonka: REPO-2110 / MNT-17477: CMIS: SXSS+CSRF vulnerability (browser binding)
   - force download=attachment (Content-Disposition headers) for all content types, except those white-listed (eg. pdf & specific img types)


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@137404 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Andrei Rebegea
2017-06-14 17:07:39 +00:00
parent a74c71116a
commit 9b499c911a
4 changed files with 417 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
source/java/org/alfresco/opencmis/CMISServletDispatcher.java
View File

@@ -27,13 +27,17 @@ package org.alfresco.opencmis;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.EventListener;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
@@ -44,10 +48,12 @@ import javax.servlet.Servlet;
import javax.servlet.ServletConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRegistration;
import javax.servlet.SessionCookieConfig;
import javax.servlet.SessionTrackingMode;
import javax.servlet.descriptor.JspConfigDescriptor;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletResponse;
@@ -84,6 +90,8 @@ public abstract class CMISServletDispatcher implements CMISDispatcher
protected CmisVersion cmisVersion;
protected TenantAdminService tenantAdminService;
private Set<String> nonAttachContentTypes = Collections.emptySet(); // pre-configured whitelist, eg. images & pdf
public void setTenantAdminService(TenantAdminService tenantAdminService)
{
this.tenantAdminService = tenantAdminService;
@@ -129,6 +137,11 @@ public abstract class CMISServletDispatcher implements CMISDispatcher
this.cmisVersion = CmisVersion.fromValue(cmisVersion);
}
public void setNonAttachContentTypes(Set<String> nonAttachWhiteList)
{
this.nonAttachContentTypes = nonAttachWhiteList;
}
protected synchronized Descriptor getCurrentDescriptor()
{
if(this.currentDescriptor == null)
@@ -191,16 +204,22 @@ public abstract class CMISServletDispatcher implements CMISDispatcher
return httpReqWrapper;
}
protected CMISHttpServletResponse getHttpResponse(WebScriptResponse res)
{
CMISHttpServletResponse httpResWrapper = new CMISHttpServletResponse(res, nonAttachContentTypes);
return httpResWrapper;
}
public void execute(WebScriptRequest req, WebScriptResponse res) throws IOException
{
try
{
HttpServletResponse httpResp = WebScriptServletRuntime.getHttpServletResponse(res);
// fake a servlet request.
// wrap request & response
CMISHttpServletResponse httpResWrapper = getHttpResponse(res);
CMISHttpServletRequest httpReqWrapper = getHttpRequest(req);
servlet.service(httpReqWrapper, httpResp);
servlet.service(httpReqWrapper, httpResWrapper);
}
catch(ServletException e)
{