(jspwiki) 02/06: AttachmentServlet now respects jspwiki.attachment.forceDownload pattern and will refuse to inline content matching those extensions

[juanpablo]

This is an automated email from the ASF dual-hosted git repository.

juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git

commit d5d66d435dbccb79d6b2355f2aebe82cd4f133fc
Author: Juan Pablo Santos Rodríguez <juanpablo.san...@gmail.com>
AuthorDate: Sun Nov 19 22:06:56 2023 +0100

    AttachmentServlet now respects jspwiki.attachment.forceDownload pattern and 
will refuse to inline content matching those extensions
---
 .../org/apache/wiki/attachment/AttachmentServlet.java  | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git 
a/jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentServlet.java 
b/jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentServlet.java
index 47561c9e1..1e6375437 100644
--- 
a/jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentServlet.java
+++ 
b/jspwiki-main/src/main/java/org/apache/wiki/attachment/AttachmentServlet.java
@@ -218,11 +218,8 @@ public class AttachmentServlet extends HttpServlet {
                 final String mimetype = getMimeType( context, 
att.getFileName() );
                 res.setContentType( mimetype );
 
-                //
-                //  We use 'inline' instead of 'attachment' so that user agents
-                //  can try to automatically open the file.
-                //
-                res.addHeader( "Content-Disposition", "inline; filename=\"" + 
att.getFileName() + "\";" );
+                final String contentDisposition = getContentDisposition( att );
+                res.addHeader( "Content-Disposition", contentDisposition );
                 
res.addDateHeader("Last-Modified",att.getLastModified().getTime());
 
                 if( !att.isCacheable() ) {
@@ -286,6 +283,17 @@ public class AttachmentServlet extends HttpServlet {
         }
     }
 
+    String getContentDisposition( final Attachment att ) {
+        // We use 'inline' instead of 'attachment' so that user agents can try 
to automatically open the file,
+        // except those cases in which we want to enforce the file download.
+        String contentDisposition = "inline; filename=\"";
+        if( m_engine.getManager( AttachmentManager.class ).forceDownload( 
att.getFileName() ) ) {
+            contentDisposition = "attachment; filename=\"";
+        }
+        contentDisposition += att.getFileName() + "\";";
+        return contentDisposition;
+    }
+
     void sendError( final HttpServletResponse res, final String message ) 
throws IOException {
         try {
             res.sendError( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, 
message );