inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-14 17:58:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged 5.2.N (5.2.2) to HEAD (5.2)

Browse Source 
135620 jvonka: REPO-2110 / MNT-17477: CMIS: SXSS+CSRF vulnerability (browser binding)
   - force download=attachment (Content-Disposition headers) for all content types except those white-listed (eg. pdf & specific img types)
   - follow-on for r135606 to fix fallout caught by TestPublicApiBrowser11TCK.testCMISTCKQuery()


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@137405 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Andrei Rebegea
2017-06-14 17:07:45 +00:00
parent 9b499c911a
commit ea2185e6a4
1 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
source/java/org/alfresco/opencmis/CMISHttpServletResponse.java
View File

@@ -51,7 +51,10 @@ public class CMISHttpServletResponse implements HttpServletResponse
protected Set<String> nonAttachContentTypes = Collections.emptySet(); // pre-configured whitelist, eg. images & pdf protected Set<String> nonAttachContentTypes = Collections.emptySet(); // pre-configured whitelist, eg. images & pdf
private final static String HDR_CONTENT_DISPOSITION = "Content-Disposition"; private final static String HDR_CONTENT_DISPOSITION = "Content-Disposition";
private final static String ATTACHMENT = "attachment";
private final static String INLINE = "inline";
public CMISHttpServletResponse(WebScriptResponse res, Set<String> nonAttachContentTypes) public CMISHttpServletResponse(WebScriptResponse res, Set<String> nonAttachContentTypes)
{ {
httpResp = WebScriptServletRuntime.getHttpServletResponse(res); httpResp = WebScriptServletRuntime.getHttpServletResponse(res);
@@ -135,6 +138,8 @@ public class CMISHttpServletResponse implements HttpServletResponse
{ {
httpResp.addHeader(name, getStringHeaderValue(name, value, httpResp.getContentType())); httpResp.addHeader(name, getStringHeaderValue(name, value, httpResp.getContentType()));
} }
private String getStringHeaderValue(String name, String value, String contentType) private String getStringHeaderValue(String name, String value, String contentType)
{ {
@@ -142,14 +147,14 @@ public class CMISHttpServletResponse implements HttpServletResponse
{ {
if (! nonAttachContentTypes.contains(contentType)) if (! nonAttachContentTypes.contains(contentType))
{ {
if (value.startsWith("inline")) if (value.startsWith(INLINE))
{ {
// force attachment // force attachment
value = value.replace("inline", "attachment"); value = ATTACHMENT+value.substring(INLINE.length());
} }
else if (! value.startsWith("attachment")) else if (! value.startsWith(ATTACHMENT))
{ {
throw new AlfrescoRuntimeException("Unexpected - attachment header could not be set: "+name+" = "+value); throw new AlfrescoRuntimeException("Unexpected - header could not be set: "+name+" = "+value);
} }
} }
} }