svn commit: r1712835 - in /ofbiz/trunk: applications/content/src/org/ofbiz/content/view/ applications/order/webapp/ordermgr/WEB-INF/actions/order/ applications/product/webapp/facility/WEB-INF/actions/shipment/ framework/base/src/org/ofbiz/base/util/ fr...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1712835 - in /ofbiz/trunk: applications/content/src/org/ofbiz/content/view/ applications/order/webapp/ordermgr/WEB-INF/actions/order/ applications/product/webapp/facility/WEB-INF/actions/shipment/ framework/base/src/org/ofbiz/base/util/ fr...

jleroux@apache.org
Author: jleroux
Date: Thu Nov  5 17:47:00 2015
New Revision: 1712835

URL: http://svn.apache.org/viewvc?rev=1712835&view=rev
Log:
A rearranged patch from Gareth Carter for "Update SimpleContentViewHandler to return mime type on file extension and use inline for content-disposition" https://issues.apache.org/jira/browse/OFBIZ-6702

SimpleContentViewHandler will return mime type 'text/html' for all DataResource values without a specified mimeTypeId. Changing to DataResourceWorker.getMimeType will allow determining the mimeTypeId by file extension
Fixing the mime type will allow the browsers to display content inline if UtilHttp is updated aswell. All unknown extensions will be set to octet-stream causing the browser to prompt for download

jleroux: after some discussions, this finally uses a content-disposition-type property in requestHandler.properties to allow more flexibility for users (see UtilHttp.setContentDisposition() method). Beware "inline" is less secure. For this reason, Gareth forced the "dangerous" text/html mime type to application/octet-stream in SimpleContentViewHandler class. This to prevent possible static XSS attacks. See the Jira issue for more details.

Modified:
    ofbiz/trunk/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java
    ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/order/CompanyHeader.groovy
    ofbiz/trunk/applications/product/webapp/facility/WEB-INF/actions/shipment/PrintPickSheets.groovy
    ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
    ofbiz/trunk/framework/webapp/config/requestHandler.properties
    ofbiz/trunk/specialpurpose/birt/src/org/ofbiz/birt/webapp/view/BirtViewHandler.java

Modified: ofbiz/trunk/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java?rev=1712835&r1=1712834&r2=1712835&view=diff
==============================================================================
--- ofbiz/trunk/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java (original)
+++ ofbiz/trunk/applications/content/src/org/ofbiz/content/view/SimpleContentViewHandler.java Thu Nov  5 17:47:00 2015
@@ -137,7 +137,10 @@ public class SimpleContentViewHandler ex
                     charset = defaultCharset;
                 }
                 if (UtilValidate.isEmpty(mimeTypeId)) {
-                    mimeTypeId = dataResource.getString("mimeTypeId");
+                    mimeTypeId = DataResourceWorker.getMimeType(dataResource);
+                    if ("text/html".equalsIgnoreCase(mimeTypeId)) {
+                        mimeTypeId = "application/octet-stream";
+                    }
                 }
                 // setup content type
                 String contentType2 = UtilValidate.isNotEmpty(mimeTypeId) ? mimeTypeId + "; charset=" +charset : contentType;

Modified: ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/order/CompanyHeader.groovy
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/order/CompanyHeader.groovy?rev=1712835&r1=1712834&r2=1712835&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/order/CompanyHeader.groovy (original)
+++ ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/order/CompanyHeader.groovy Thu Nov  5 17:47:00 2015
@@ -43,9 +43,9 @@ fromPartyId = parameters.fromPartyId;
 if (!orderHeader && orderId) {
     orderHeader = from("OrderHeader").where("orderId", orderId).queryOne();
     if (parameters.facilityId) {
-        response.setHeader("Content-Disposition","attachment; filename=\"PickSheet" + orderId + ".pdf" + "\";");
+        UtilHttp.setContentDisposition(response, "PickSheet" + orderId + ".pdf");
     } else {
-        response.setHeader("Content-Disposition","attachment; filename=\"" + orderId + ".pdf" + "\";");
+        UtilHttp.setContentDisposition(response, orderId + ".pdf");
     }
 } else if (shipmentId) {
     shipment = from("Shipment").where("shipmentId", shipmentId).queryOne();
@@ -54,7 +54,7 @@ if (!orderHeader && orderId) {
 
 if (!invoice && invoiceId)    {
     invoice = from("Invoice").where("invoiceId", invoiceId).queryOne();
-    response.setHeader("Content-Disposition","attachment; filename=\"" + invoiceId + ".pdf" + "\";");
+    UtilHttp.setContentDisposition(response, invoiceId + ".pdf");
 }
 
 if (!returnHeader && returnId) {

Modified: ofbiz/trunk/applications/product/webapp/facility/WEB-INF/actions/shipment/PrintPickSheets.groovy
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/webapp/facility/WEB-INF/actions/shipment/PrintPickSheets.groovy?rev=1712835&r1=1712834&r2=1712835&view=diff
==============================================================================
--- ofbiz/trunk/applications/product/webapp/facility/WEB-INF/actions/shipment/PrintPickSheets.groovy (original)
+++ ofbiz/trunk/applications/product/webapp/facility/WEB-INF/actions/shipment/PrintPickSheets.groovy Thu Nov  5 17:47:00 2015
@@ -20,6 +20,7 @@
 import org.ofbiz.order.order.OrderReadHelper;
 import org.ofbiz.entity.condition.EntityCondition;
 import org.ofbiz.entity.util.EntityUtil;
+import org.ofbiz.base.util.UtilHttp;
 
 toPrintOrders = [];
 maxNumberOfOrders = parameters.maxNumberOfOrdersToPrint;
@@ -126,5 +127,5 @@ if (toPrintOrders) {
             }
         }
     }
-    response.setHeader("Content-Disposition","attachment; filename=\"orderPickSheet.pdf" + "\";");
+    UtilHttp.setContentDisposition(response, "orderPickSheet.pdf");
 }

Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java?rev=1712835&r1=1712834&r2=1712835&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java (original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java Thu Nov  5 17:47:00 2015
@@ -969,7 +969,7 @@ public class UtilHttp {
             response.setContentType(contentType);
         }
         if (fileName != null) {
-            response.setHeader("Content-Disposition", "attachment;filename=\"" + fileName + "\"");
+            setContentDisposition(response, fileName);
         }
 
         // create the streams
@@ -1018,7 +1018,7 @@ public class UtilHttp {
             response.setContentType(contentType);
         }
         if (fileName != null) {
-            response.setHeader("Content-Disposition", "attachment;filename=\"" + fileName + "\"");
+            setContentDisposition(response, fileName);
         }
 
         // stream the content
@@ -1433,4 +1433,10 @@ public class UtilHttp {
         request.setAttribute("UNIQUE_ID", Integer.valueOf(uniqueIdNumber.intValue() + 1));
         return "autoId_" + uniqueIdNumber;
     }
+
+    public static void setContentDisposition(final HttpServletResponse response, final String filename) {
+        String dispositionType = UtilProperties.getPropertyValue("requestHandler", "content-disposition-type", "attachment");
+        response.setHeader("Content-Disposition", String.format("%s; filename=\"%s\"", dispositionType, filename));
+    }
+
 }

Modified: ofbiz/trunk/framework/webapp/config/requestHandler.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/config/requestHandler.properties?rev=1712835&r1=1712834&r2=1712835&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/config/requestHandler.properties (original)
+++ ofbiz/trunk/framework/webapp/config/requestHandler.properties Thu Nov  5 17:47:00 2015
@@ -3,3 +3,8 @@ throwRequestHandlerExceptionOnMissingLoc
 
 # -- Default HTTP status-code, see OFBIZ-5109
 status-code=302
+
+# -- Default Content-Disposition type
+#-- attachment might be replaced by inline if you prefer to offer this option to your users.
+#   attachment is supposed to be more secure, but this is a bit unclear see OFBIZ-6702 for details
+content-disposition-type=attachment
\ No newline at end of file

Modified: ofbiz/trunk/specialpurpose/birt/src/org/ofbiz/birt/webapp/view/BirtViewHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/birt/src/org/ofbiz/birt/webapp/view/BirtViewHandler.java?rev=1712835&r1=1712834&r2=1712835&view=diff
==============================================================================
--- ofbiz/trunk/specialpurpose/birt/src/org/ofbiz/birt/webapp/view/BirtViewHandler.java (original)
+++ ofbiz/trunk/specialpurpose/birt/src/org/ofbiz/birt/webapp/view/BirtViewHandler.java Thu Nov  5 17:47:00 2015
@@ -102,7 +102,7 @@ public class BirtViewHandler implements
             // set output file name
             String outputFileName = (String) request.getAttribute(BirtWorker.BIRT_OUTPUT_FILE_NAME);
             if (UtilValidate.isNotEmpty(outputFileName)) {
-                response.setHeader("Content-Disposition", "attachment; filename=" + outputFileName);
+                UtilHttp.setContentDisposition(response, outputFileName);
             }
             
             // set override content type