This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to annotated tag org.apache.sling.security-1.0.16 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-security.git
commit 782ea38c6365eee325741794a6e1c7f6136a36be Author: Antonio Sanso <[email protected]> AuthorDate: Tue Sep 1 09:21:11 2015 +0000 SLING-4983 - Limit the Content Disposition Filter to GET operations git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/security@1700435 13f79535-47bb-0310-9956-ffa450edef68 --- .../security/impl/ContentDispositionFilter.java | 94 +++++++++++----------- .../impl/ContentDispositionFilterTest.java | 44 ++++++++++ 2 files changed, 90 insertions(+), 48 deletions(-) diff --git a/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java b/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java index 34e7871..bc3d64b 100644 --- a/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java +++ b/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java @@ -221,47 +221,49 @@ public class ContentDispositionFilter implements Filter { * @see javax.servlet.ServletResponseWrapper#setContentType(java.lang.String) */ public void setContentType(String type) { - String previousContentType = (String) request.getAttribute(ATTRIBUTE_NAME); - - if (previousContentType != null && previousContentType.equals(type)) { - return; - } - request.setAttribute(ATTRIBUTE_NAME, type); - Resource resource = request.getResource(); - String resourcePath = resource.getPath(); - - if (!contentDispositionExcludedPaths.contains(resourcePath)) { + if ("GET".equals(request.getMethod())) { + String previousContentType = (String) request.getAttribute(ATTRIBUTE_NAME); + + if (previousContentType != null && previousContentType.equals(type)) { + return; + } + request.setAttribute(ATTRIBUTE_NAME, type); + Resource resource = request.getResource(); + String resourcePath = resource.getPath(); + + if (!contentDispositionExcludedPaths.contains(resourcePath)) { - if (enableContentDispositionAllPaths) { - setContentDisposition(resource); - } else { + if (enableContentDispositionAllPaths) { + setContentDisposition(resource); + } else { - boolean contentDispositionAdded = false; - if (contentDispositionPaths.contains(resourcePath)) { + boolean contentDispositionAdded = false; + if (contentDispositionPaths.contains(resourcePath)) { - if (contentTypesMapping.containsKey(resourcePath)) { - Set <String> exceptions = contentTypesMapping.get(resourcePath); - if (!exceptions.contains(type)) { + if (contentTypesMapping.containsKey(resourcePath)) { + Set <String> exceptions = contentTypesMapping.get(resourcePath); + if (!exceptions.contains(type)) { + contentDispositionAdded = setContentDisposition(resource); + } + } else { contentDispositionAdded = setContentDisposition(resource); } - } else { - contentDispositionAdded = setContentDisposition(resource); - } - } - if (!contentDispositionAdded) { - for (String path : contentDispositionPathsPfx) { - if (resourcePath.startsWith(path)) { - if (contentTypesMapping.containsKey(path)) { - Set <String> exceptions = contentTypesMapping.get(path); - if (!exceptions.contains(type)) { + } + if (!contentDispositionAdded) { + for (String path : contentDispositionPathsPfx) { + if (resourcePath.startsWith(path)) { + if (contentTypesMapping.containsKey(path)) { + Set <String> exceptions = contentTypesMapping.get(path); + if (!exceptions.contains(type)) { + setContentDisposition(resource); + break; + } + } else { setContentDisposition(resource); break; } - } else { - setContentDisposition(resource); - break; - } + } } } } @@ -283,23 +285,19 @@ public class ContentDispositionFilter implements Filter { private boolean isJcrData(Resource resource){ boolean jcrData = false; - try { - if (resource!= null) { - ValueMap props = resource.adaptTo(ValueMap.class); - if (props != null && props.containsKey(PROP_JCR_DATA) ) { - jcrData = true; - } else { - Resource jcrContent = resource.getChild(JCR_CONTENT_LEAF); - if (jcrContent!= null) { - props = jcrContent.adaptTo(ValueMap.class); - if (props != null && props.containsKey(PROP_JCR_DATA) ) { - jcrData = true; - } + if (resource!= null) { + ValueMap props = resource.adaptTo(ValueMap.class); + if (props != null && props.containsKey(PROP_JCR_DATA) ) { + jcrData = true; + } else { + Resource jcrContent = resource.getChild(JCR_CONTENT_LEAF); + if (jcrContent!= null) { + props = jcrContent.adaptTo(ValueMap.class); + if (props != null && props.containsKey(PROP_JCR_DATA) ) { + jcrData = true; } - } - } - } catch (Exception e) { - logger.error("Exception in isJcrData", e); + } + } } return jcrData; } diff --git a/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java b/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java index 49b1ae7..b777857 100644 --- a/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java +++ b/src/test/java/org/apache/sling/security/impl/ContentDispositionFilterTest.java @@ -280,6 +280,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); will(returnValue(null)); allowing(request).setAttribute(RewriterResponse.ATTRIBUTE_NAME, "text/html"); @@ -320,6 +322,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); will(returnValue(null)); allowing(request).setAttribute(RewriterResponse.ATTRIBUTE_NAME, "text/html"); @@ -366,6 +370,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(response).containsHeader("Content-Disposition"); will(returnValue(false)); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); @@ -412,6 +418,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); will(returnValue(null)); allowing(request).setAttribute(RewriterResponse.ATTRIBUTE_NAME, "text/html"); @@ -458,6 +466,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(response).containsHeader("Content-Disposition"); will(returnValue(false)); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); @@ -510,6 +520,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(response).containsHeader("Content-Disposition"); will(returnValue(false)); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); @@ -556,6 +568,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); will(returnValue(null)); allowing(request).setAttribute(RewriterResponse.ATTRIBUTE_NAME, "text/html"); @@ -596,6 +610,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); will(returnValue(null)); allowing(request).setAttribute(RewriterResponse.ATTRIBUTE_NAME, "text/html"); @@ -635,6 +651,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); will(returnValue(null)); allowing(request).setAttribute(RewriterResponse.ATTRIBUTE_NAME, "text/html"); @@ -680,6 +698,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(response).containsHeader("Content-Disposition"); will(returnValue(false)); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); @@ -726,6 +746,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); will(returnValue(null)); allowing(request).setAttribute(RewriterResponse.ATTRIBUTE_NAME, "text/html"); @@ -766,6 +788,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); will(returnValue(null)); allowing(request).setAttribute(RewriterResponse.ATTRIBUTE_NAME, "text/html"); @@ -805,6 +829,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); will(returnValue(null)); allowing(request).setAttribute(RewriterResponse.ATTRIBUTE_NAME, "text/html"); @@ -851,6 +877,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(response).containsHeader("Content-Disposition"); will(returnValue(false)); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); @@ -907,6 +935,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(response).containsHeader("Content-Disposition"); will(returnValue(false)); exactly(1).of(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); @@ -967,6 +997,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); exactly(1).of(response).containsHeader("Content-Disposition"); will(returnValue(false)); exactly(1).of(response).containsHeader("Content-Disposition"); @@ -1029,6 +1061,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); exactly(1).of(response).containsHeader("Content-Disposition"); will(returnValue(false)); exactly(1).of(response).containsHeader("Content-Disposition"); @@ -1090,6 +1124,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); exactly(1).of(response).containsHeader("Content-Disposition"); will(returnValue(false)); exactly(1).of(response).containsHeader("Content-Disposition"); @@ -1150,6 +1186,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); exactly(1).of(response).containsHeader("Content-Disposition"); will(returnValue(false)); exactly(1).of(response).containsHeader("Content-Disposition"); @@ -1210,6 +1248,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); exactly(1).of(response).containsHeader("Content-Disposition"); will(returnValue(false)); exactly(1).of(response).containsHeader("Content-Disposition"); @@ -1269,6 +1309,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(response).containsHeader("Content-Disposition"); will(returnValue(false)); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); @@ -1322,6 +1364,8 @@ public class ContentDispositionFilterTest { context.checking(new Expectations() { { + allowing(request).getMethod(); + will(returnValue("GET")); allowing(response).containsHeader("Content-Disposition"); will(returnValue(false)); allowing(request).getAttribute(RewriterResponse.ATTRIBUTE_NAME); -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
