You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2017/11/07 10:13:41 UTC
[sling-org-apache-sling-security] 11/15: SLING-4883 - Extend
content disposition filter protection to jcr:data
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.security-1.0.12
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 19b203401a46340ad875988197003aa4f13295b4
Author: Antonio Sanso <as...@apache.org>
AuthorDate: Tue Jul 28 08:23:40 2015 +0000
SLING-4883 - Extend content disposition filter protection to jcr:data
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1693028 13f79535-47bb-0310-9956-ffa450edef68
---
.../security/impl/ContentDispositionFilter.java | 29 +++++
.../impl/ContentDispositionFilterTest.java | 137 +++++++++++++++++++++
2 files changed, 166 insertions(+)
diff --git a/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java b/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java
index 8da627a..9b72674 100644
--- a/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java
+++ b/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java
@@ -25,12 +25,14 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
+
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
+
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.PropertyUnbounded;
@@ -39,6 +41,8 @@ import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
+import org.apache.sling.api.resource.Resource;
+import org.apache.sling.api.resource.ValueMap;
import org.apache.sling.api.wrappers.SlingHttpServletResponseWrapper;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.osgi.service.component.ComponentContext;
@@ -173,6 +177,10 @@ public class ContentDispositionFilter implements Filter {
private static final String CONTENT_DISPOSTION_ATTACHMENT = "attachment";
+ private static final String PROP_JCR_DATA = "jcr:data";
+
+ private static final String JCR_CONTENT_LEAF = "jcr:content";
+
static final String ATTRIBUTE_NAME =
"org.apache.sling.security.impl.ContentDispositionFilter.RewriterResponse.contentType";
@@ -226,10 +234,31 @@ public class ContentDispositionFilter implements Filter {
super.setContentType(type);
}
+ //---------- PRIVATE METHODS ---------
+
private void setContentDisposition() {
if (!this.containsHeader(CONTENT_DISPOSTION)) {
this.addHeader(CONTENT_DISPOSTION, CONTENT_DISPOSTION_ATTACHMENT);
}
}
+
+ private boolean isJcrData(Resource resource){
+ boolean jcrData = false;
+ if (resource!= null) {
+ ValueMap props = resource.adaptTo(ValueMap.class);
+ if (props.containsKey(PROP_JCR_DATA) ) {
+ jcrData = true;
+ } else {
+ Resource jcrContent = resource.getChild(JCR_CONTENT_LEAF);
+ if (jcrContent!= null) {
+ props = jcrContent.adaptTo(ValueMap.class);
+ if (props.containsKey(PROP_JCR_DATA) ) {
+ jcrData = true;
+ }
+ }
+ }
+ }
+ return jcrData;
+ }
}
}
diff --git a/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java b/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java
index 17614aa..51b6477 100644
--- a/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java
+++ b/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java
@@ -26,6 +26,8 @@ import junitx.util.PrivateAccessor;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
+import org.apache.sling.api.resource.Resource;
+import org.apache.sling.api.resource.ValueMap;
import org.apache.sling.security.impl.ContentDispositionFilter.RewriterResponse;
import org.jmock.Expectations;
import org.jmock.Mockery;
@@ -38,6 +40,10 @@ public class ContentDispositionFilterTest {
private ContentDispositionFilter contentDispositionFilter;
private final Mockery context = new JUnit4Mockery();
+
+ private static final String PROP_JCR_DATA = "jcr:data";
+
+ private static final String JCR_CONTENT_LEAF = "jcr:content";
@Test
public void test_activator1() throws Throwable{
@@ -842,4 +848,135 @@ public class ContentDispositionFilterTest {
rewriterResponse.setContentType("text/xml");
Assert.assertEquals(1, counter.intValue());
}
+
+ @Test
+ public void test_isJcrData1() throws Throwable {
+ contentDispositionFilter = new ContentDispositionFilter();
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ final Resource resource = null;
+ final ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ Boolean result = (Boolean) PrivateAccessor.invoke(rewriterResponse,"isJcrData", new Class[]{Resource.class},new Object[]{resource});
+
+ Assert.assertFalse(result);
+ }
+
+ @Test
+ public void test_isJcrData2() throws Throwable {
+ contentDispositionFilter = new ContentDispositionFilter();
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ final ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+
+ final Resource resource = context.mock(Resource.class);
+ final ValueMap properties = context.mock(ValueMap.class);
+
+ context.checking(new Expectations() {
+ {
+ allowing(resource).adaptTo(ValueMap.class);
+ will(returnValue(properties));
+ allowing(properties).containsKey(PROP_JCR_DATA);
+ will(returnValue(true));
+ }
+ });
+
+ Boolean result = (Boolean) PrivateAccessor.invoke(rewriterResponse,"isJcrData", new Class[]{Resource.class},new Object[]{resource});
+
+ Assert.assertTrue(result);
+ }
+
+ @Test
+ public void test_isJcrData3() throws Throwable {
+ contentDispositionFilter = new ContentDispositionFilter();
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ final ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+
+ final Resource resource = context.mock(Resource.class);
+ final ValueMap properties = context.mock(ValueMap.class);
+
+ context.checking(new Expectations() {
+ {
+ allowing(resource).adaptTo(ValueMap.class);
+ will(returnValue(properties));
+ allowing(properties).containsKey(PROP_JCR_DATA);
+ will(returnValue(false));
+ allowing(resource).getChild(JCR_CONTENT_LEAF);
+ will(returnValue(null));
+ }
+ });
+
+ Boolean result = (Boolean) PrivateAccessor.invoke(rewriterResponse,"isJcrData", new Class[]{Resource.class},new Object[]{resource});
+
+ Assert.assertFalse(result);
+ }
+
+ @Test
+ public void test_isJcrData4() throws Throwable {
+ contentDispositionFilter = new ContentDispositionFilter();
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ final ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ final Resource child = context.mock(Resource.class, "child");
+ final Resource resource = context.mock(Resource.class, "resource" );
+ final ValueMap properties = context.mock(ValueMap.class);
+ final ValueMap childPropoerties = context.mock(ValueMap.class, "childPropoerties");
+
+
+ context.checking(new Expectations() {
+ {
+ allowing(resource).adaptTo(ValueMap.class);
+ will(returnValue(properties));
+ allowing(properties).containsKey(PROP_JCR_DATA);
+ will(returnValue(false));
+ allowing(resource).getChild(JCR_CONTENT_LEAF);
+ will(returnValue(child));
+ allowing(child).adaptTo(ValueMap.class);
+ will(returnValue(childPropoerties));
+ allowing(childPropoerties).containsKey(PROP_JCR_DATA);
+ will(returnValue(false));
+ }
+ });
+
+ Boolean result = (Boolean) PrivateAccessor.invoke(rewriterResponse,"isJcrData", new Class[]{Resource.class},new Object[]{resource});
+
+ Assert.assertFalse(result);
+ }
+
+ @Test
+ public void test_isJcrData5() throws Throwable {
+ contentDispositionFilter = new ContentDispositionFilter();
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ final ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ final Resource child = context.mock(Resource.class, "child");
+ final Resource resource = context.mock(Resource.class, "resource" );
+ final ValueMap properties = context.mock(ValueMap.class);
+ final ValueMap childPropoerties = context.mock(ValueMap.class, "childPropoerties");
+
+
+ context.checking(new Expectations() {
+ {
+ allowing(resource).adaptTo(ValueMap.class);
+ will(returnValue(properties));
+ allowing(properties).containsKey(PROP_JCR_DATA);
+ will(returnValue(false));
+ allowing(resource).getChild(JCR_CONTENT_LEAF);
+ will(returnValue(child));
+ allowing(child).adaptTo(ValueMap.class);
+ will(returnValue(childPropoerties));
+ allowing(childPropoerties).containsKey(PROP_JCR_DATA);
+ will(returnValue(true));
+ }
+ });
+
+ Boolean result = (Boolean) PrivateAccessor.invoke(rewriterResponse,"isJcrData", new Class[]{Resource.class},new Object[]{resource});
+
+ Assert.assertTrue(result);
+ }
}
\ No newline at end of file
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.