This is an automated email from the ASF dual-hosted git repository.
brushed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
The following commit(s) were added to refs/heads/master by this push:
new 34df8c3 [JSPWIKI-1106] Adding the jspwiki.attachment.forceDownload
property (no version bump)
34df8c3 is described below
commit 34df8c3b2e5bec0ec1e814bd2ea41667dcddefbf
Author: brushed <[email protected]>
AuthorDate: Sun Apr 28 20:22:58 2019 +0200
[JSPWIKI-1106] Adding the jspwiki.attachment.forceDownload property (no
version bump)
---
ChangeLog | 3 ++
.../apache/wiki/attachment/AttachmentManager.java | 44 +++++++++++++++++++++-
.../apache/wiki/attachment/AttachmentServlet.java | 2 +-
.../apache/wiki/parser/JSPWikiMarkupParser.java | 6 +++
.../main/java/org/apache/wiki/tags/LinkTag.java | 8 +++-
.../main/java/org/apache/wiki/tags/LinkToTag.java | 10 ++++-
.../src/main/resources/ini/jspwiki.properties | 3 ++
7 files changed, 72 insertions(+), 4 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 5c9ee7e..94c7eb5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,9 @@
* [JSPWIKI-1107] Fixing XSS vulnerability in various plugins.
+ * [JSPWIKI-1106] Adding the jspwiki.attachment.forceDownload property
+
+
2019-04-28 Juan Pablo Santos (juanpablo AT apache DOT org)
* 2.11.0-M4-git-09
diff --git
a/jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentManager.java
b/jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentManager.java
index 76b6220..e1e8196 100644
---
a/jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentManager.java
+++
b/jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentManager.java
@@ -43,6 +43,7 @@ import org.apache.wiki.pages.PageManager;
import org.apache.wiki.parser.MarkupParser;
import org.apache.wiki.providers.WikiAttachmentProvider;
import org.apache.wiki.util.ClassUtil;
+import org.apache.wiki.util.TextUtil;
import net.sf.ehcache.Cache;
import net.sf.ehcache.CacheManager;
@@ -77,7 +78,15 @@ public class AttachmentManager
/**
* A space-separated list of attachment types which cannot be uploaded
*/
- public static final String PROP_FORDBIDDENEXTENSIONS =
"jspwiki.attachment.forbidden";
+ public static final String PROP_FORBIDDENEXTENSIONS =
"jspwiki.attachment.forbidden";
+
+ /**
+ * A space-separated list of attachment types which never will open in
the browser.
+ */
+ public static final String PROP_FORCEDOWNLOAD =
"jspwiki.attachment.forceDownload";
+
+ /** List of attachment types which are forced to be downloaded */
+ private String[] m_forceDownloadPatterns;
static Logger log = Logger.getLogger( AttachmentManager.class );
private WikiAttachmentProvider m_provider;
@@ -175,6 +184,15 @@ public class AttachmentManager
log.error( "Attachment provider reports IO error", e );
m_provider = null;
}
+
+ String forceDownload = TextUtil.getStringProperty( props,
PROP_FORCEDOWNLOAD, null );
+
+ if( forceDownload != null && forceDownload.length() > 0 )
+ m_forceDownloadPatterns = forceDownload.toLowerCase().split("\\s");
+ else
+ m_forceDownloadPatterns = new String[0];
+
+
}
/**
@@ -392,6 +410,30 @@ public class AttachmentManager
}
/**
+ * Check if attachement link should force a download iso opening the
attachment in the browser.
+ *
+ * @param name Name of attachment to be checked
+ * @return true, if the attachment should be downloaded when clicking the
link
+ * @since 2.11.0 M4
+ */
+ public boolean forceDownload( String name )
+ {
+ if( name == null || name.length() == 0 ) return false;
+
+ name = name.toLowerCase();
+
+ if( name.indexOf('.') == -1) return true; //force download on
attachments without extension or type indication
+
+ for( int i = 0; i < m_forceDownloadPatterns.length; i++ )
+ {
+ if( name.endsWith(m_forceDownloadPatterns[i]) &&
m_forceDownloadPatterns[i].length() > 0 )
+ return true;
+ }
+
+ return false;
+ }
+
+ /**
* Finds a (real) attachment from the repository as a stream.
*
* @param att Attachment
diff --git
a/jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentServlet.java
b/jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentServlet.java
index f1db191..a75f373 100644
---
a/jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentServlet.java
+++
b/jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentServlet.java
@@ -132,7 +132,7 @@ public class AttachmentServlet extends HttpServlet {
m_allowedPatterns = new String[0];
String forbidden = TextUtil.getStringProperty( props,
- AttachmentManager.PROP_FORDBIDDENEXTENSIONS,
+ AttachmentManager.PROP_FORBIDDENEXTENSIONS,
null );
if( forbidden != null && forbidden.length() > 0 )
diff --git
a/jspwiki-main/src/main/java/org/apache/wiki/parser/JSPWikiMarkupParser.java
b/jspwiki-main/src/main/java/org/apache/wiki/parser/JSPWikiMarkupParser.java
index 7abfdf9..287e2ee 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/parser/JSPWikiMarkupParser.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/parser/JSPWikiMarkupParser.java
@@ -394,6 +394,11 @@ public class JSPWikiMarkupParser extends MarkupParser {
el = createAnchor( ATTACHMENT, attlink, text, "" );
+ if( m_engine.getAttachmentManager().forceDownload( attlink ) )
+ {
+ el.setAttribute("download", "");
+ }
+
pushElement(el);
popElement(el.getName());
@@ -436,6 +441,7 @@ public class JSPWikiMarkupParser extends MarkupParser {
return el;
}
+
/**
* Figures out if a link is an off-site link. This recognizes
* the most common protocols by checking how it starts.
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/tags/LinkTag.java
b/jspwiki-main/src/main/java/org/apache/wiki/tags/LinkTag.java
index be33434..17af986 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/tags/LinkTag.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/tags/LinkTag.java
@@ -419,10 +419,11 @@ public class LinkTag extends WikiLinkTag implements
ParamHandler, BodyTag {
{
try
{
+ WikiEngine engine = m_wikiContext.getEngine();
+
if( !m_overrideAbsolute )
{
// TODO: see WikiContext.getURL(); this check needs to be
specified somewhere.
- WikiEngine engine = m_wikiContext.getEngine();
m_absolute = "absolute".equals(
engine.getWikiProperties().getProperty( WikiEngine.PROP_REFSTYLE ) );
}
@@ -439,6 +440,11 @@ public class LinkTag extends WikiLinkTag implements
ParamHandler, BodyTag {
sb.append( (m_accesskey != null) ? "accesskey=\""+m_accesskey+"\"
" : "" );
sb.append( (m_tabindex != null) ? "tabindex=\""+m_tabindex+"\" " :
"" );
+ if( engine.getPage( m_pageName ) instanceof Attachment )
+ {
+ sb.append( engine.getAttachmentManager().forceDownload(
m_pageName ) ? "download " : "" );
+ }
+
switch( m_format )
{
case URL:
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/tags/LinkToTag.java
b/jspwiki-main/src/main/java/org/apache/wiki/tags/LinkToTag.java
index 37a2cbd..8599189 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/tags/LinkToTag.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/tags/LinkToTag.java
@@ -102,12 +102,19 @@ public class LinkToTag
JspWriter out = pageContext.getOut();
String url;
String linkclass;
+ String forceDownload = "";
if( isattachment )
{
url = m_wikiContext.getURL(WikiContext.ATTACH, pageName,
(getVersion() != null) ?
"version="+getVersion() : null );
linkclass = "attachment";
+
+ if(
m_wikiContext.getEngine().getAttachmentManager().forceDownload( pageName ) )
+ {
+ forceDownload = "download ";
+ }
+
}
else
{
@@ -124,7 +131,8 @@ public class LinkToTag
{
case ANCHOR:
out.print("<a class=\""+linkclass+"\" href=\""+url+"\"
accesskey=\""
- + m_accesskey + "\" title=\"" + m_title + "\">");
+ + m_accesskey + "\" title=\"" + m_title
+ + "\" " + forceDownload + ">");
break;
case URL:
out.print( url );
diff --git a/jspwiki-main/src/main/resources/ini/jspwiki.properties
b/jspwiki-main/src/main/resources/ini/jspwiki.properties
index fe5de90..715e181 100644
--- a/jspwiki-main/src/main/resources/ini/jspwiki.properties
+++ b/jspwiki-main/src/main/resources/ini/jspwiki.properties
@@ -172,6 +172,9 @@ jspwiki.attachmentProvider = BasicAttachmentProvider
# Example: Forbid HTML, PHP, ASP and EXE
#jspwiki.attachment.forbidden=.html .htm .php .asp .exe
+# Example: Attachment links to HTML, HTM and MP3 files would force a download
rather then opening the attachment
+#jspwiki.attachment.forceDownload= .html .htm
+
#
# page Diff Representation
#
