You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/09/04 17:11:07 UTC
[cxf] branch master updated: CXF-8101 - Strip file path from
Content-Disposition filename
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new 7257491 CXF-8101 - Strip file path from Content-Disposition filename
7257491 is described below
commit 72574910b2cd61ca5208c46784136553d310ba1b
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Sep 4 18:10:43 2019 +0100
CXF-8101 - Strip file path from Content-Disposition filename
---
.../org/apache/cxf/attachment/AttachmentUtil.java | 5 ++--
.../java/org/apache/cxf/helpers/FileUtils.java | 18 ++++++++++++
.../cxf/attachment/AttachmentDeserializerTest.java | 33 ++++++++++++++++++++++
3 files changed, 54 insertions(+), 2 deletions(-)
diff --git a/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java b/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
index 4dd44bc..fba8cba 100644
--- a/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
+++ b/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
@@ -54,6 +54,7 @@ import javax.activation.MailcapCommandMap;
import javax.activation.URLDataSource;
import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.helpers.FileUtils;
import org.apache.cxf.helpers.HttpHeaderHelper;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.io.CachedOutputStream;
@@ -393,13 +394,13 @@ public final class AttachmentUtil {
if (encoding == null) {
encoding = "binary";
}
- InputStream ins = decode(stream, encoding);
+ InputStream ins = decode(stream, encoding);
if (ins != stream) {
headers.remove("Content-Transfer-Encoding");
}
DataSource source = new AttachmentDataSource(ct, ins);
if (!StringUtils.isEmpty(fileName)) {
- ((AttachmentDataSource)source).setName(fileName);
+ ((AttachmentDataSource)source).setName(FileUtils.stripPath(fileName));
}
att.setDataHandler(new DataHandler(source));
return att;
diff --git a/core/src/main/java/org/apache/cxf/helpers/FileUtils.java b/core/src/main/java/org/apache/cxf/helpers/FileUtils.java
index b166c58..b847d5a 100644
--- a/core/src/main/java/org/apache/cxf/helpers/FileUtils.java
+++ b/core/src/main/java/org/apache/cxf/helpers/FileUtils.java
@@ -392,4 +392,22 @@ public final class FileUtils {
return file.exists();
});
}
+
+ /**
+ * Strips any leading paths
+ */
+ public static String stripPath(String name) {
+ if (name == null) {
+ return null;
+ }
+ int posUnix = name.lastIndexOf('/');
+ int posWin = name.lastIndexOf('\\');
+ int pos = Math.max(posUnix, posWin);
+
+ if (pos != -1) {
+ return name.substring(pos + 1);
+ }
+ return name;
+ }
+
}
diff --git a/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java b/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
index 8f32fa3..717083e 100644
--- a/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
+++ b/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
@@ -750,4 +750,37 @@ public class AttachmentDeserializerTest {
assertEquals(40, msg.getAttachments().size());
}
+ @Test
+ public void testInvalidContentDispositionFilename() throws Exception {
+ StringBuilder sb = new StringBuilder(1000);
+ sb.append("SomeHeader: foo\n")
+ .append("------=_Part_34950_1098328613.1263781527359\n")
+ .append("Content-Type: text/xml; charset=UTF-8\n")
+ .append("Content-Transfer-Encoding: binary\n")
+ .append("Content-Id: <31...@auhpap02>\n")
+ .append('\n')
+ .append("<envelope/>\n");
+
+ sb.append("------=_Part_34950_1098328613.1263781527359\n")
+ .append("Content-Type: text/xml\n")
+ .append("Content-Transfer-Encoding: binary\n")
+ .append("Content-Id: <b86a5f2d-e7af-4e5e-b71a-9f6f2307cab0>\n")
+ .append("Content-Disposition: attachment; filename=../../../../../../../../etc/passwd\n")
+ .append('\n')
+ .append("<message>\n")
+ .append("------=_Part_34950_1098328613.1263781527359--\n");
+
+ msg = new MessageImpl();
+ msg.setContent(InputStream.class, new ByteArrayInputStream(sb.toString().getBytes(StandardCharsets.UTF_8)));
+ msg.put(Message.CONTENT_TYPE, "multipart/related");
+ AttachmentDeserializer ad = new AttachmentDeserializer(msg);
+ ad.initializeAttachments();
+
+ // Force it to load the attachments
+ assertEquals(1, msg.getAttachments().size());
+ Attachment attachment = msg.getAttachments().iterator().next();
+ AttachmentDataSource dataSource = (AttachmentDataSource)attachment.getDataHandler().getDataSource();
+ assertEquals("passwd", dataSource.getName());
+ }
+
}