You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by as...@apache.org on 2015/07/28 10:23:40 UTC
svn commit: r1693028 - in /sling/trunk/contrib/extensions/security/src:
main/java/org/apache/sling/security/impl/ContentDispositionFilter.java
test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java
Author: asanso
Date: Tue Jul 28 08:23:40 2015
New Revision: 1693028
URL: http://svn.apache.org/r1693028
Log:
SLING-4883 - Extend content disposition filter protection to jcr:data
Modified:
sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java
sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java
Modified: sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java?rev=1693028&r1=1693027&r2=1693028&view=diff
==============================================================================
--- sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java (original)
+++ sling/trunk/contrib/extensions/security/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java Tue Jul 28 08:23:40 2015
@@ -25,12 +25,14 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
+
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
+
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.PropertyUnbounded;
@@ -39,6 +41,8 @@ import org.apache.felix.scr.annotations.
import org.apache.felix.scr.annotations.Property;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
+import org.apache.sling.api.resource.Resource;
+import org.apache.sling.api.resource.ValueMap;
import org.apache.sling.api.wrappers.SlingHttpServletResponseWrapper;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.osgi.service.component.ComponentContext;
@@ -173,6 +177,10 @@ public class ContentDispositionFilter im
private static final String CONTENT_DISPOSTION_ATTACHMENT = "attachment";
+ private static final String PROP_JCR_DATA = "jcr:data";
+
+ private static final String JCR_CONTENT_LEAF = "jcr:content";
+
static final String ATTRIBUTE_NAME =
"org.apache.sling.security.impl.ContentDispositionFilter.RewriterResponse.contentType";
@@ -226,10 +234,31 @@ public class ContentDispositionFilter im
super.setContentType(type);
}
+ //---------- PRIVATE METHODS ---------
+
private void setContentDisposition() {
if (!this.containsHeader(CONTENT_DISPOSTION)) {
this.addHeader(CONTENT_DISPOSTION, CONTENT_DISPOSTION_ATTACHMENT);
}
}
+
+ private boolean isJcrData(Resource resource){
+ boolean jcrData = false;
+ if (resource!= null) {
+ ValueMap props = resource.adaptTo(ValueMap.class);
+ if (props.containsKey(PROP_JCR_DATA) ) {
+ jcrData = true;
+ } else {
+ Resource jcrContent = resource.getChild(JCR_CONTENT_LEAF);
+ if (jcrContent!= null) {
+ props = jcrContent.adaptTo(ValueMap.class);
+ if (props.containsKey(PROP_JCR_DATA) ) {
+ jcrData = true;
+ }
+ }
+ }
+ }
+ return jcrData;
+ }
}
}
Modified: sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java?rev=1693028&r1=1693027&r2=1693028&view=diff
==============================================================================
--- sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java (original)
+++ sling/trunk/contrib/extensions/security/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java Tue Jul 28 08:23:40 2015
@@ -26,6 +26,8 @@ import junitx.util.PrivateAccessor;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
+import org.apache.sling.api.resource.Resource;
+import org.apache.sling.api.resource.ValueMap;
import org.apache.sling.security.impl.ContentDispositionFilter.RewriterResponse;
import org.jmock.Expectations;
import org.jmock.Mockery;
@@ -38,6 +40,10 @@ public class ContentDispositionFilterTes
private ContentDispositionFilter contentDispositionFilter;
private final Mockery context = new JUnit4Mockery();
+
+ private static final String PROP_JCR_DATA = "jcr:data";
+
+ private static final String JCR_CONTENT_LEAF = "jcr:content";
@Test
public void test_activator1() throws Throwable{
@@ -842,4 +848,135 @@ public class ContentDispositionFilterTes
rewriterResponse.setContentType("text/xml");
Assert.assertEquals(1, counter.intValue());
}
+
+ @Test
+ public void test_isJcrData1() throws Throwable {
+ contentDispositionFilter = new ContentDispositionFilter();
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ final Resource resource = null;
+ final ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ Boolean result = (Boolean) PrivateAccessor.invoke(rewriterResponse,"isJcrData", new Class[]{Resource.class},new Object[]{resource});
+
+ Assert.assertFalse(result);
+ }
+
+ @Test
+ public void test_isJcrData2() throws Throwable {
+ contentDispositionFilter = new ContentDispositionFilter();
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ final ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+
+ final Resource resource = context.mock(Resource.class);
+ final ValueMap properties = context.mock(ValueMap.class);
+
+ context.checking(new Expectations() {
+ {
+ allowing(resource).adaptTo(ValueMap.class);
+ will(returnValue(properties));
+ allowing(properties).containsKey(PROP_JCR_DATA);
+ will(returnValue(true));
+ }
+ });
+
+ Boolean result = (Boolean) PrivateAccessor.invoke(rewriterResponse,"isJcrData", new Class[]{Resource.class},new Object[]{resource});
+
+ Assert.assertTrue(result);
+ }
+
+ @Test
+ public void test_isJcrData3() throws Throwable {
+ contentDispositionFilter = new ContentDispositionFilter();
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ final ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+
+ final Resource resource = context.mock(Resource.class);
+ final ValueMap properties = context.mock(ValueMap.class);
+
+ context.checking(new Expectations() {
+ {
+ allowing(resource).adaptTo(ValueMap.class);
+ will(returnValue(properties));
+ allowing(properties).containsKey(PROP_JCR_DATA);
+ will(returnValue(false));
+ allowing(resource).getChild(JCR_CONTENT_LEAF);
+ will(returnValue(null));
+ }
+ });
+
+ Boolean result = (Boolean) PrivateAccessor.invoke(rewriterResponse,"isJcrData", new Class[]{Resource.class},new Object[]{resource});
+
+ Assert.assertFalse(result);
+ }
+
+ @Test
+ public void test_isJcrData4() throws Throwable {
+ contentDispositionFilter = new ContentDispositionFilter();
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ final ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ final Resource child = context.mock(Resource.class, "child");
+ final Resource resource = context.mock(Resource.class, "resource" );
+ final ValueMap properties = context.mock(ValueMap.class);
+ final ValueMap childPropoerties = context.mock(ValueMap.class, "childPropoerties");
+
+
+ context.checking(new Expectations() {
+ {
+ allowing(resource).adaptTo(ValueMap.class);
+ will(returnValue(properties));
+ allowing(properties).containsKey(PROP_JCR_DATA);
+ will(returnValue(false));
+ allowing(resource).getChild(JCR_CONTENT_LEAF);
+ will(returnValue(child));
+ allowing(child).adaptTo(ValueMap.class);
+ will(returnValue(childPropoerties));
+ allowing(childPropoerties).containsKey(PROP_JCR_DATA);
+ will(returnValue(false));
+ }
+ });
+
+ Boolean result = (Boolean) PrivateAccessor.invoke(rewriterResponse,"isJcrData", new Class[]{Resource.class},new Object[]{resource});
+
+ Assert.assertFalse(result);
+ }
+
+ @Test
+ public void test_isJcrData5() throws Throwable {
+ contentDispositionFilter = new ContentDispositionFilter();
+ final SlingHttpServletRequest request = context.mock(SlingHttpServletRequest.class);
+ final SlingHttpServletResponse response = context.mock(SlingHttpServletResponse.class);
+ final ContentDispositionFilter.RewriterResponse rewriterResponse = contentDispositionFilter. new RewriterResponse(request, response);
+
+ final Resource child = context.mock(Resource.class, "child");
+ final Resource resource = context.mock(Resource.class, "resource" );
+ final ValueMap properties = context.mock(ValueMap.class);
+ final ValueMap childPropoerties = context.mock(ValueMap.class, "childPropoerties");
+
+
+ context.checking(new Expectations() {
+ {
+ allowing(resource).adaptTo(ValueMap.class);
+ will(returnValue(properties));
+ allowing(properties).containsKey(PROP_JCR_DATA);
+ will(returnValue(false));
+ allowing(resource).getChild(JCR_CONTENT_LEAF);
+ will(returnValue(child));
+ allowing(child).adaptTo(ValueMap.class);
+ will(returnValue(childPropoerties));
+ allowing(childPropoerties).containsKey(PROP_JCR_DATA);
+ will(returnValue(true));
+ }
+ });
+
+ Boolean result = (Boolean) PrivateAccessor.invoke(rewriterResponse,"isJcrData", new Class[]{Resource.class},new Object[]{resource});
+
+ Assert.assertTrue(result);
+ }
}
\ No newline at end of file