Frank Kobzik has uploaded a new change for review. Change subject: core: Protect GetAttachmentServlet from response splitting attack ......................................................................
core: Protect GetAttachmentServlet from response splitting attack Current version of GetAttachmentServlet inserts given filename directly to http response header, which allows code splitting. This patch fixes it by url-encoding the given filename. Change-Id: I90dd7d95879342d70cfbb43c49d128457aebc35e Signed-off-by: Frantisek Kobzik <[email protected]> Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=843410 --- M backend/manager/modules/root/src/main/java/org/ovirt/engine/core/GetAttachmentServlet.java 1 file changed, 3 insertions(+), 2 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/71/12671/1 diff --git a/backend/manager/modules/root/src/main/java/org/ovirt/engine/core/GetAttachmentServlet.java b/backend/manager/modules/root/src/main/java/org/ovirt/engine/core/GetAttachmentServlet.java index 9b5801f..d6324ec 100644 --- a/backend/manager/modules/root/src/main/java/org/ovirt/engine/core/GetAttachmentServlet.java +++ b/backend/manager/modules/root/src/main/java/org/ovirt/engine/core/GetAttachmentServlet.java @@ -1,6 +1,7 @@ package org.ovirt.engine.core; import java.io.IOException; +import java.net.URLEncoder; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; @@ -29,7 +30,7 @@ if (fileName == null) { fileName = "attachment"; } - response.setHeader("Content-Disposition", "attachment; filename=\"" + fileName + "\""); + response.setHeader("Content-Disposition", "attachment; filename*='UTF-8'" + URLEncoder.encode(StringEscapeUtils.unescapeHtml(fileName), "UTF-8")); if (!cache) { response.setHeader("Cache-Control", "no-cache, must-revalidate"); //disable caching HTTP/1.1 @@ -50,7 +51,7 @@ throw new IOException("Error when writing to response stream"); } } else { - throw new ServletException(String.format("Unsupported encoding type {0}", encodingType)); + throw new ServletException(String.format("Unsupported encoding type %s", encodingType)); } } } -- To view, visit http://gerrit.ovirt.org/12671 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I90dd7d95879342d70cfbb43c49d128457aebc35e Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Frank Kobzik <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
