From ea2185e6a4f8773480d95d03b30bf3785e30df7b Mon Sep 17 00:00:00 2001
From: Andrei Rebegea <andrei.rebegea@ness.com>
Date: Wed, 14 Jun 2017 17:07:45 +0000
Subject: [PATCH] Merged 5.2.N (5.2.2) to HEAD (5.2)    135620 jvonka:
 REPO-2110 / MNT-17477: CMIS: SXSS+CSRF vulnerability (browser binding)    -
 force download=attachment (Content-Disposition headers) for all content types
 except those white-listed (eg. pdf & specific img types)    - follow-on for
 r135606 to fix fallout caught by TestPublicApiBrowser11TCK.testCMISTCKQuery()

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@137405 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../opencmis/CMISHttpServletResponse.java         | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/source/java/org/alfresco/opencmis/CMISHttpServletResponse.java b/source/java/org/alfresco/opencmis/CMISHttpServletResponse.java
index bff8877f47..d458b73d6b 100644
--- a/source/java/org/alfresco/opencmis/CMISHttpServletResponse.java
+++ b/source/java/org/alfresco/opencmis/CMISHttpServletResponse.java
@@ -51,7 +51,10 @@ public class CMISHttpServletResponse implements HttpServletResponse
     protected Set<String> nonAttachContentTypes = Collections.emptySet(); // pre-configured whitelist, eg. images & pdf
 
     private final static String HDR_CONTENT_DISPOSITION = "Content-Disposition";
-    
+
+    private final static String ATTACHMENT = "attachment";
+    private final static String INLINE = "inline";
+
 	public CMISHttpServletResponse(WebScriptResponse res, Set<String> nonAttachContentTypes)
 	{
 		httpResp = WebScriptServletRuntime.getHttpServletResponse(res);
@@ -135,6 +138,8 @@ public class CMISHttpServletResponse implements HttpServletResponse
     {
         httpResp.addHeader(name, getStringHeaderValue(name, value, httpResp.getContentType()));
     }
+    
+    
 
     private String getStringHeaderValue(String name, String value, String contentType)
     {
@@ -142,14 +147,14 @@ public class CMISHttpServletResponse implements HttpServletResponse
         {
             if (! nonAttachContentTypes.contains(contentType))
             {
-                if (value.startsWith("inline"))
+                if (value.startsWith(INLINE))
                 {
                     // force attachment
-                    value = value.replace("inline", "attachment");
+                    value = ATTACHMENT+value.substring(INLINE.length());
                 }
-                else if (! value.startsWith("attachment"))
+                else if (! value.startsWith(ATTACHMENT))
                 {
-                    throw new AlfrescoRuntimeException("Unexpected - attachment header could not be set: "+name+" = "+value);
+                    throw new AlfrescoRuntimeException("Unexpected - header could not be set: "+name+" = "+value);
                 }
             }
         }