diff --git a/spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java b/spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java
index b714d57ac491..0986bafa6078 100644
--- a/spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java
+++ b/spring-web/src/main/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverter.java
@@ -96,6 +96,7 @@ protected void writePrefix(JsonGenerator generator, Object object) throws IOExce
String jsonpFunction =
(object instanceof MappingJacksonValue ? ((MappingJacksonValue) object).getJsonpFunction() : null);
if (jsonpFunction != null) {
+ generator.writeRaw("/**/");
generator.writeRaw(jsonpFunction + "(");
}
}
diff --git a/spring-web/src/main/java/org/springframework/web/accept/ContentNegotiationManagerFactoryBean.java b/spring-web/src/main/java/org/springframework/web/accept/ContentNegotiationManagerFactoryBean.java
index 0c6e6ed1df9f..9ae54e897c0e 100644
--- a/spring-web/src/main/java/org/springframework/web/accept/ContentNegotiationManagerFactoryBean.java
+++ b/spring-web/src/main/java/org/springframework/web/accept/ContentNegotiationManagerFactoryBean.java
@@ -141,6 +141,10 @@ public void setUseJaf(boolean useJaf) {
this.useJaf = useJaf;
}
+ private boolean isUseJafTurnedOff() {
+ return (this.useJaf != null && !this.useJaf);
+ }
+
/**
* Indicate whether a request parameter should be used to determine the
* requested media type with the 2nd highest priority, i.e.
@@ -211,7 +215,7 @@ public void afterPropertiesSet() {
if (this.favorPathExtension) {
PathExtensionContentNegotiationStrategy strategy;
- if (this.servletContext != null) {
+ if (this.servletContext != null && !isUseJafTurnedOff()) {
strategy = new ServletPathExtensionContentNegotiationStrategy(this.servletContext, this.mediaTypes);
}
else {
diff --git a/spring-web/src/main/java/org/springframework/web/accept/PathExtensionContentNegotiationStrategy.java b/spring-web/src/main/java/org/springframework/web/accept/PathExtensionContentNegotiationStrategy.java
index de98ae2ec37f..68b97e1b90b5 100644
--- a/spring-web/src/main/java/org/springframework/web/accept/PathExtensionContentNegotiationStrategy.java
+++ b/spring-web/src/main/java/org/springframework/web/accept/PathExtensionContentNegotiationStrategy.java
@@ -64,7 +64,7 @@ public class PathExtensionContentNegotiationStrategy extends AbstractMappingCont
urlPathHelper.setUrlDecode(false);
}
- private boolean useJaf = JAF_PRESENT;
+ private boolean useJaf = true;
private boolean ignoreUnknownExtensions = true;
@@ -130,7 +130,7 @@ protected void handleMatch(String extension, MediaType mediaType) {
protected MediaType handleNoMatch(NativeWebRequest webRequest, String extension)
throws HttpMediaTypeNotAcceptableException {
- if (this.useJaf) {
+ if (this.useJaf && JAF_PRESENT) {
MediaType jafMediaType = JafMediaTypeFactory.getMediaType("file." + extension);
if (jafMediaType != null && !MediaType.APPLICATION_OCTET_STREAM.equals(jafMediaType)) {
return jafMediaType;
diff --git a/spring-web/src/main/java/org/springframework/web/util/UrlPathHelper.java b/spring-web/src/main/java/org/springframework/web/util/UrlPathHelper.java
index a9e6adb5ad66..63cd8693922f 100644
--- a/spring-web/src/main/java/org/springframework/web/util/UrlPathHelper.java
+++ b/spring-web/src/main/java/org/springframework/web/util/UrlPathHelper.java
@@ -405,7 +405,7 @@ private String decodeAndCleanUriString(HttpServletRequest request, String uri) {
* @see java.net.URLDecoder#decode(String)
*/
public String decodeRequestString(HttpServletRequest request, String source) {
- if (this.urlDecode) {
+ if (this.urlDecode && source != null) {
return decodeInternal(request, source);
}
return source;
diff --git a/spring-web/src/main/java/org/springframework/web/util/WebUtils.java b/spring-web/src/main/java/org/springframework/web/util/WebUtils.java
index 7e7037881275..778630b4846e 100644
--- a/spring-web/src/main/java/org/springframework/web/util/WebUtils.java
+++ b/spring-web/src/main/java/org/springframework/web/util/WebUtils.java
@@ -728,20 +728,23 @@ public static String extractFilenameFromUrlPath(String urlPath) {
}
/**
- * Extract the full URL filename (including file extension) from the given request URL path.
- * Correctly resolves nested paths such as "/products/view.html" as well.
+ * Extract the full URL filename (including file extension) from the given
+ * request URL path. Correctly resolve nested paths such as
+ * "/products/view.html" and remove any path and or query parameters.
* @param urlPath the request URL path (e.g. "/products/index.html")
* @return the extracted URI filename (e.g. "index.html")
*/
public static String extractFullFilenameFromUrlPath(String urlPath) {
- int end = urlPath.indexOf(';');
+ int end = urlPath.indexOf('?');
if (end == -1) {
- end = urlPath.indexOf('?');
+ end = urlPath.indexOf('#');
if (end == -1) {
end = urlPath.length();
}
}
int begin = urlPath.lastIndexOf('/', end) + 1;
+ int paramIndex = urlPath.indexOf(';', begin);
+ end = (paramIndex != -1 && paramIndex < end ? paramIndex : end);
return urlPath.substring(begin, end);
}
diff --git a/spring-web/src/test/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverterTests.java b/spring-web/src/test/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverterTests.java
index fe54972a71dd..2c3b756ae62e 100644
--- a/spring-web/src/test/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverterTests.java
+++ b/spring-web/src/test/java/org/springframework/http/converter/json/MappingJackson2HttpMessageConverterTests.java
@@ -267,7 +267,7 @@ public void jsonp() throws Exception {
MockHttpOutputMessage outputMessage = new MockHttpOutputMessage();
this.converter.writeInternal(jacksonValue, outputMessage);
- assertEquals("callback(\"foo\");", outputMessage.getBodyAsString(Charset.forName("UTF-8")));
+ assertEquals("/**/callback(\"foo\");", outputMessage.getBodyAsString(Charset.forName("UTF-8")));
}
@Test
@@ -284,7 +284,7 @@ public void jsonpAndJsonView() throws Exception {
this.converter.writeInternal(jacksonValue, outputMessage);
String result = outputMessage.getBodyAsString(Charset.forName("UTF-8"));
- assertThat(result, startsWith("callback("));
+ assertThat(result, startsWith("/**/callback("));
assertThat(result, endsWith(");"));
assertThat(result, containsString("\"withView1\":\"with\""));
assertThat(result, not(containsString("\"withView2\":\"with\"")));
diff --git a/spring-web/src/test/java/org/springframework/web/accept/ContentNegotiationManagerFactoryBeanTests.java b/spring-web/src/test/java/org/springframework/web/accept/ContentNegotiationManagerFactoryBeanTests.java
index a093cf3140f9..e9d95c2a13ac 100644
--- a/spring-web/src/test/java/org/springframework/web/accept/ContentNegotiationManagerFactoryBeanTests.java
+++ b/spring-web/src/test/java/org/springframework/web/accept/ContentNegotiationManagerFactoryBeanTests.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -15,7 +15,6 @@
*/
package org.springframework.web.accept;
-import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
@@ -25,11 +24,13 @@
import org.springframework.http.MediaType;
import org.springframework.mock.web.test.MockHttpServletRequest;
+import org.springframework.mock.web.test.MockServletContext;
+import org.springframework.util.StringUtils;
import org.springframework.web.HttpMediaTypeNotAcceptableException;
import org.springframework.web.context.request.NativeWebRequest;
import org.springframework.web.context.request.ServletWebRequest;
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
/**
* Test fixture for {@link ContentNegotiationManagerFactoryBean} tests.
@@ -46,7 +47,10 @@ public class ContentNegotiationManagerFactoryBeanTests {
@Before
public void setup() {
- this.servletRequest = new MockHttpServletRequest();
+ TestServletContext servletContext = new TestServletContext();
+ servletContext.getMimeTypes().put("foo", "application/foo");
+
+ this.servletRequest = new MockHttpServletRequest(servletContext);
this.webRequest = new ServletWebRequest(this.servletRequest);
this.factoryBean = new ContentNegotiationManagerFactoryBean();
@@ -62,7 +66,7 @@ public void defaultSettings() throws Exception {
this.servletRequest.setRequestURI("/flower.gif");
assertEquals("Should be able to resolve file extensions by default",
- Arrays.asList(MediaType.IMAGE_GIF), manager.resolveMediaTypes(this.webRequest));
+ Collections.singletonList(MediaType.IMAGE_GIF), manager.resolveMediaTypes(this.webRequest));
this.servletRequest.setRequestURI("/flower.xyz");
@@ -79,26 +83,46 @@ public void defaultSettings() throws Exception {
this.servletRequest.addHeader("Accept", MediaType.IMAGE_GIF_VALUE);
assertEquals("Should resolve Accept header by default",
- Arrays.asList(MediaType.IMAGE_GIF), manager.resolveMediaTypes(this.webRequest));
+ Collections.singletonList(MediaType.IMAGE_GIF), manager.resolveMediaTypes(this.webRequest));
}
@Test
- public void addMediaTypes() throws Exception {
- Map mediaTypes = new HashMap<>();
- mediaTypes.put("json", MediaType.APPLICATION_JSON);
- this.factoryBean.addMediaTypes(mediaTypes);
+ public void favorPath() throws Exception {
+ this.factoryBean.setFavorPathExtension(true);
+ this.factoryBean.addMediaTypes(Collections.singletonMap("bar", new MediaType("application", "bar")));
+ this.factoryBean.afterPropertiesSet();
+ ContentNegotiationManager manager = this.factoryBean.getObject();
+
+ this.servletRequest.setRequestURI("/flower.foo");
+ assertEquals(Collections.singletonList(new MediaType("application", "foo")),
+ manager.resolveMediaTypes(this.webRequest));
+
+ this.servletRequest.setRequestURI("/flower.bar");
+ assertEquals(Collections.singletonList(new MediaType("application", "bar")),
+ manager.resolveMediaTypes(this.webRequest));
+
+ this.servletRequest.setRequestURI("/flower.gif");
+ assertEquals(Collections.singletonList(MediaType.IMAGE_GIF), manager.resolveMediaTypes(this.webRequest));
+ }
+ @Test
+ public void favorPathWithJafTurnedOff() throws Exception {
+ this.factoryBean.setFavorPathExtension(true);
+ this.factoryBean.setUseJaf(false);
this.factoryBean.afterPropertiesSet();
ContentNegotiationManager manager = this.factoryBean.getObject();
- this.servletRequest.setRequestURI("/flower.json");
- assertEquals(Arrays.asList(MediaType.APPLICATION_JSON), manager.resolveMediaTypes(this.webRequest));
+ this.servletRequest.setRequestURI("/flower.foo");
+ assertEquals(Collections.emptyList(), manager.resolveMediaTypes(this.webRequest));
+
+ this.servletRequest.setRequestURI("/flower.gif");
+ assertEquals(Collections.emptyList(), manager.resolveMediaTypes(this.webRequest));
}
// SPR-10170
@Test(expected = HttpMediaTypeNotAcceptableException.class)
- public void favorPathExtensionWithUnknownMediaType() throws Exception {
+ public void favorPathWithIgnoreUnknownPathExtensionTurnedOff() throws Exception {
this.factoryBean.setFavorPathExtension(true);
this.factoryBean.setIgnoreUnknownPathExtensions(false);
this.factoryBean.afterPropertiesSet();
@@ -124,7 +148,8 @@ public void favorParameter() throws Exception {
this.servletRequest.setRequestURI("/flower");
this.servletRequest.addParameter("format", "json");
- assertEquals(Arrays.asList(MediaType.APPLICATION_JSON), manager.resolveMediaTypes(this.webRequest));
+ assertEquals(Collections.singletonList(MediaType.APPLICATION_JSON),
+ manager.resolveMediaTypes(this.webRequest));
}
// SPR-10170
@@ -159,26 +184,48 @@ public void setDefaultContentType() throws Exception {
this.factoryBean.afterPropertiesSet();
ContentNegotiationManager manager = this.factoryBean.getObject();
- assertEquals(Arrays.asList(MediaType.APPLICATION_JSON), manager.resolveMediaTypes(this.webRequest));
+ assertEquals(Collections.singletonList(MediaType.APPLICATION_JSON),
+ manager.resolveMediaTypes(this.webRequest));
// SPR-10513
this.servletRequest.addHeader("Accept", MediaType.ALL_VALUE);
- assertEquals(Arrays.asList(MediaType.APPLICATION_JSON), manager.resolveMediaTypes(this.webRequest));
+ assertEquals(Collections.singletonList(MediaType.APPLICATION_JSON),
+ manager.resolveMediaTypes(this.webRequest));
}
// SPR-12286
+
@Test
public void setDefaultContentTypeWithStrategy() throws Exception {
this.factoryBean.setDefaultContentTypeStrategy(new FixedContentNegotiationStrategy(MediaType.APPLICATION_JSON));
this.factoryBean.afterPropertiesSet();
ContentNegotiationManager manager = this.factoryBean.getObject();
- assertEquals(Arrays.asList(MediaType.APPLICATION_JSON), manager.resolveMediaTypes(this.webRequest));
+ assertEquals(Collections.singletonList(MediaType.APPLICATION_JSON),
+ manager.resolveMediaTypes(this.webRequest));
this.servletRequest.addHeader("Accept", MediaType.ALL_VALUE);
- assertEquals(Arrays.asList(MediaType.APPLICATION_JSON), manager.resolveMediaTypes(this.webRequest));
+ assertEquals(Collections.singletonList(MediaType.APPLICATION_JSON),
+ manager.resolveMediaTypes(this.webRequest));
+ }
+
+
+ private static class TestServletContext extends MockServletContext {
+
+ private final Map mimeTypes = new HashMap<>();
+
+
+ public Map getMimeTypes() {
+ return this.mimeTypes;
+ }
+
+ @Override
+ public String getMimeType(String filePath) {
+ String extension = StringUtils.getFilenameExtension(filePath);
+ return getMimeTypes().get(extension);
+ }
}
}
diff --git a/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java b/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
index 97c285219830..ea662533e69d 100644
--- a/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
+++ b/spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java
@@ -70,9 +70,17 @@ public void extractFullFilenameFromUrlPath() {
assertEquals("index.html", WebUtils.extractFullFilenameFromUrlPath("index.html"));
assertEquals("index.html", WebUtils.extractFullFilenameFromUrlPath("/index.html"));
assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html"));
+ assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html#/a"));
+ assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html#/path/a"));
+ assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html#/path/a.do"));
assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html?param=a"));
assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html?param=/path/a"));
assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html?param=/path/a.do"));
+ assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html?param=/path/a#/path/a"));
+ assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products/view.html?param=/path/a.do#/path/a.do"));
+ assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products;q=11/view.html?param=/path/a.do"));
+ assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products;q=11/view.html;r=22?param=/path/a.do"));
+ assertEquals("view.html", WebUtils.extractFullFilenameFromUrlPath("/products;q=11/view.html;r=22;s=33?param=/path/a.do"));
}
@Test
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java
index a8d983d38592..85f1e6996e08 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractJsonpResponseBodyAdvice.java
@@ -16,8 +16,12 @@
package org.springframework.web.servlet.mvc.method.annotation;
+import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
import org.springframework.core.MethodParameter;
import org.springframework.http.MediaType;
import org.springframework.http.converter.json.MappingJacksonValue;
@@ -44,6 +48,14 @@
*/
public abstract class AbstractJsonpResponseBodyAdvice extends AbstractMappingJacksonResponseBodyAdvice {
+ /**
+ * Pattern for validating jsonp callback parameter values.
+ */
+ private static final Pattern CALLBACK_PARAM_PATTERN = Pattern.compile("[0-9A-Za-z_\\.]*");
+
+
+ private final Log logger = LogFactory.getLog(getClass());
+
private final String[] jsonpQueryParamNames;
@@ -62,14 +74,31 @@ protected void beforeBodyWriteInternal(MappingJacksonValue bodyContainer, MediaT
for (String name : this.jsonpQueryParamNames) {
String value = servletRequest.getParameter(name);
if (value != null) {
+ if (!isValidJsonpQueryParam(value)) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("Ignoring invalid jsonp parameter value: " + value);
+ }
+ continue;
+ }
MediaType contentTypeToUse = getContentType(contentType, request, response);
response.getHeaders().setContentType(contentTypeToUse);
bodyContainer.setJsonpFunction(value);
- return;
+ break;
}
}
}
+ /**
+ * Validate the jsonp query parameter value. The default implementation
+ * returns true if it consists of digits, letters, or "_" and ".".
+ * Invalid parameter values are ignored.
+ * @param value the query param value, never {@code null}
+ * @since 4.1.8
+ */
+ protected boolean isValidJsonpQueryParam(String value) {
+ return CALLBACK_PARAM_PATTERN.matcher(value).matches();
+ }
+
/**
* Return the content type to set the response to.
* This implementation always returns "application/javascript".
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractMessageConverterMethodProcessor.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractMessageConverterMethodProcessor.java
index d912e1cc84af..4eca2d77cb1a 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractMessageConverterMethodProcessor.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/AbstractMessageConverterMethodProcessor.java
@@ -18,26 +18,32 @@
import java.io.IOException;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collections;
+import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
+import java.util.Locale;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.core.MethodParameter;
+import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpOutputMessage;
import org.springframework.http.MediaType;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.http.server.ServletServerHttpResponse;
import org.springframework.util.CollectionUtils;
+import org.springframework.util.StringUtils;
import org.springframework.web.HttpMediaTypeNotAcceptableException;
import org.springframework.web.accept.ContentNegotiationManager;
import org.springframework.web.context.request.NativeWebRequest;
import org.springframework.web.context.request.ServletWebRequest;
import org.springframework.web.method.support.HandlerMethodReturnValueHandler;
import org.springframework.web.servlet.HandlerMapping;
+import org.springframework.web.util.UrlPathHelper;
/**
* Extends {@link AbstractMessageConverterMethodArgumentResolver} with the ability to handle
@@ -52,10 +58,26 @@ public abstract class AbstractMessageConverterMethodProcessor extends AbstractMe
private static final MediaType MEDIA_TYPE_APPLICATION = new MediaType("application");
+ private static final UrlPathHelper RAW_URL_PATH_HELPER = new UrlPathHelper();
+
+ private static final UrlPathHelper DECODING_URL_PATH_HELPER = new UrlPathHelper();
+
+ static {
+ RAW_URL_PATH_HELPER.setRemoveSemicolonContent(false);
+ RAW_URL_PATH_HELPER.setUrlDecode(false);
+ }
+
+ /* Extensions associated with the built-in message converters */
+ private static final Set WHITELISTED_EXTENSIONS = new HashSet(Arrays.asList(
+ "txt", "text", "json", "xml", "atom", "rss", "png", "jpe", "jpeg", "jpg", "gif", "wbmp", "bmp"));
+
+
private final ContentNegotiationManager contentNegotiationManager;
private final ResponseBodyAdviceChain adviceChain;
+ private final Set safeExtensions = new HashSet();
+
protected AbstractMessageConverterMethodProcessor(List> messageConverters) {
this(messageConverters, null);
@@ -72,6 +94,8 @@ protected AbstractMessageConverterMethodProcessor(List>
super(messageConverters);
this.contentNegotiationManager = (manager != null ? manager : new ContentNegotiationManager());
this.adviceChain = new ResponseBodyAdviceChain(responseBodyAdvice);
+ this.safeExtensions.addAll(this.contentNegotiationManager.getAllFileExtensions());
+ this.safeExtensions.addAll(WHITELISTED_EXTENSIONS);
}
@@ -158,6 +182,7 @@ else if (mediaType.equals(MediaType.ALL) || mediaType.equals(MEDIA_TYPE_APPLICAT
returnValue = this.adviceChain.invoke(returnValue, returnType, selectedMediaType,
(Class>) messageConverter.getClass(), inputMessage, outputMessage);
if (returnValue != null) {
+ addContentDispositionHeader(inputMessage, outputMessage);
((HttpMessageConverter) messageConverter).write(returnValue, selectedMediaType, outputMessage);
if (logger.isDebugEnabled()) {
logger.debug("Written [" + returnValue + "] as \"" + selectedMediaType + "\" using [" +
@@ -226,4 +251,48 @@ private MediaType getMostSpecificMediaType(MediaType acceptType, MediaType produ
return (MediaType.SPECIFICITY_COMPARATOR.compare(acceptType, produceTypeToUse) <= 0 ? acceptType : produceTypeToUse);
}
+ /**
+ * Check if the path has a file extension and whether the extension is either
+ * {@link #WHITELISTED_EXTENSIONS whitelisted} or
+ * {@link ContentNegotiationManager#getAllFileExtensions() explicitly
+ * registered}. If not add a 'Content-Disposition' header with a safe
+ * attachment file name ("f.txt") to prevent RFD exploits.
+ */
+ private void addContentDispositionHeader(ServletServerHttpRequest request,
+ ServletServerHttpResponse response) {
+
+ HttpHeaders headers = response.getHeaders();
+ if (headers.containsKey(HttpHeaders.CONTENT_DISPOSITION)) {
+ return;
+ }
+
+ HttpServletRequest servletRequest = request.getServletRequest();
+ String requestUri = RAW_URL_PATH_HELPER.getOriginatingRequestUri(servletRequest);
+
+ int index = requestUri.lastIndexOf('/') + 1;
+ String filename = requestUri.substring(index);
+ String pathParams = "";
+
+ index = filename.indexOf(';');
+ if (index != -1) {
+ pathParams = filename.substring(index);
+ filename = filename.substring(0, index);
+ }
+
+ filename = DECODING_URL_PATH_HELPER.decodeRequestString(servletRequest, filename);
+ String ext = StringUtils.getFilenameExtension(filename);
+
+ pathParams = DECODING_URL_PATH_HELPER.decodeRequestString(servletRequest, pathParams);
+ String extInPathParams = StringUtils.getFilenameExtension(pathParams);
+
+ if (!isSafeExtension(ext) || !isSafeExtension(extInPathParams)) {
+ headers.add(HttpHeaders.CONTENT_DISPOSITION, "attachment;filename=f.txt");
+ }
+ }
+
+ private boolean isSafeExtension(String extension) {
+ return (!StringUtils.hasText(extension) ||
+ this.safeExtensions.contains(extension.toLowerCase(Locale.ENGLISH)));
+ }
+
}
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java
index 89e5a5c5f0eb..31c76c149676 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/view/json/MappingJackson2JsonView.java
@@ -23,6 +23,7 @@
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
+import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -69,6 +70,12 @@ public class MappingJackson2JsonView extends AbstractJackson2View {
*/
public static final String DEFAULT_JSONP_CONTENT_TYPE = "application/javascript";
+ /**
+ * Pattern for validating jsonp callback parameter values.
+ */
+ private static final Pattern CALLBACK_PARAM_PATTERN = Pattern.compile("[0-9A-Za-z_\\.]*");
+
+
private String jsonPrefix;
private Set modelKeys;
@@ -179,14 +186,32 @@ private String getJsonpParameterValue(HttpServletRequest request) {
if (this.jsonpParameterNames != null) {
for (String name : this.jsonpParameterNames) {
String value = request.getParameter(name);
- if (!StringUtils.isEmpty(value)) {
- return value;
+ if (StringUtils.isEmpty(value)) {
+ continue;
+ }
+ if (!isValidJsonpQueryParam(value)) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("Ignoring invalid jsonp parameter value: " + value);
+ }
+ continue;
}
+ return value;
}
}
return null;
}
+ /**
+ * Validate the jsonp query parameter value. The default implementation
+ * returns true if it consists of digits, letters, or "_" and ".".
+ * Invalid parameter values are ignored.
+ * @param value the query param value, never {@code null}
+ * @since 4.1.8
+ */
+ protected boolean isValidJsonpQueryParam(String value) {
+ return CALLBACK_PARAM_PATTERN.matcher(value).matches();
+ }
+
/**
* Filter out undesired attributes from the given model.
* The return value can be either another {@link Map} or a single value object.
@@ -236,6 +261,7 @@ protected void writePrefix(JsonGenerator generator, Object object) throws IOExce
jsonpFunction = ((MappingJacksonValue) object).getJsonpFunction();
}
if (jsonpFunction != null) {
+ generator.writeRaw("/**/");
generator.writeRaw(jsonpFunction + "(" );
}
}
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerAdapterTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerAdapterTests.java
index dde3afccae94..1398a4b61220 100644
--- a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerAdapterTests.java
+++ b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerAdapterTests.java
@@ -19,6 +19,7 @@
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
@@ -128,7 +129,7 @@ public void setAlwaysUseRedirectAttributes() throws Exception {
HandlerMethodReturnValueHandler viewHandler = new ViewNameMethodReturnValueHandler();
this.handlerAdapter.setArgumentResolvers(Arrays.asList(redirectAttributesResolver, modelResolver));
- this.handlerAdapter.setReturnValueHandlers(Arrays.asList(viewHandler));
+ this.handlerAdapter.setReturnValueHandlers(Collections.singletonList(viewHandler));
this.handlerAdapter.setIgnoreDefaultModelOnRedirect(true);
this.handlerAdapter.afterPropertiesSet();
@@ -143,7 +144,7 @@ public void setAlwaysUseRedirectAttributes() throws Exception {
@Test
public void setCustomArgumentResolvers() throws Exception {
HandlerMethodArgumentResolver resolver = new ServletRequestMethodArgumentResolver();
- this.handlerAdapter.setCustomArgumentResolvers(Arrays.asList(resolver));
+ this.handlerAdapter.setCustomArgumentResolvers(Collections.singletonList(resolver));
this.handlerAdapter.afterPropertiesSet();
assertTrue(this.handlerAdapter.getArgumentResolvers().contains(resolver));
@@ -153,7 +154,7 @@ public void setCustomArgumentResolvers() throws Exception {
@Test
public void setArgumentResolvers() throws Exception {
HandlerMethodArgumentResolver resolver = new ServletRequestMethodArgumentResolver();
- this.handlerAdapter.setArgumentResolvers(Arrays.asList(resolver));
+ this.handlerAdapter.setArgumentResolvers(Collections.singletonList(resolver));
this.handlerAdapter.afterPropertiesSet();
assertMethodProcessorCount(1, INIT_BINDER_RESOLVER_COUNT, HANDLER_COUNT);
@@ -162,7 +163,7 @@ public void setArgumentResolvers() throws Exception {
@Test
public void setInitBinderArgumentResolvers() throws Exception {
HandlerMethodArgumentResolver resolver = new ServletRequestMethodArgumentResolver();
- this.handlerAdapter.setInitBinderArgumentResolvers(Arrays.asList(resolver));
+ this.handlerAdapter.setInitBinderArgumentResolvers(Collections.singletonList(resolver));
this.handlerAdapter.afterPropertiesSet();
assertMethodProcessorCount(RESOLVER_COUNT, 1, HANDLER_COUNT);
@@ -171,7 +172,7 @@ public void setInitBinderArgumentResolvers() throws Exception {
@Test
public void setCustomReturnValueHandlers() {
HandlerMethodReturnValueHandler handler = new ViewNameMethodReturnValueHandler();
- this.handlerAdapter.setCustomReturnValueHandlers(Arrays.asList(handler));
+ this.handlerAdapter.setCustomReturnValueHandlers(Collections.singletonList(handler));
this.handlerAdapter.afterPropertiesSet();
assertTrue(this.handlerAdapter.getReturnValueHandlers().contains(handler));
@@ -181,7 +182,7 @@ public void setCustomReturnValueHandlers() {
@Test
public void setReturnValueHandlers() {
HandlerMethodReturnValueHandler handler = new ModelMethodProcessor();
- this.handlerAdapter.setReturnValueHandlers(Arrays.asList(handler));
+ this.handlerAdapter.setReturnValueHandlers(Collections.singletonList(handler));
this.handlerAdapter.afterPropertiesSet();
assertMethodProcessorCount(RESOLVER_COUNT, INIT_BINDER_RESOLVER_COUNT, 1);
@@ -240,18 +241,36 @@ public void responseBodyAdvice() throws Exception {
this.handlerAdapter.setMessageConverters(converters);
this.webAppContext.registerSingleton("rba", ResponseCodeSuppressingAdvice.class);
- this.webAppContext.registerSingleton("ja", JsonpAdvice.class);
this.webAppContext.refresh();
this.request.addHeader("Accept", MediaType.APPLICATION_JSON_VALUE);
this.request.setParameter("c", "callback");
- HandlerMethod handlerMethod = handlerMethod(new SimpleController(), "handleWithResponseEntity");
+ HandlerMethod handlerMethod = handlerMethod(new SimpleController(), "handleBadRequest");
this.handlerAdapter.afterPropertiesSet();
this.handlerAdapter.handle(this.request, this.response, handlerMethod);
assertEquals(200, this.response.getStatus());
- assertEquals("callback({\"status\":400,\"message\":\"body\"});", this.response.getContentAsString());
+ assertEquals("{\"status\":400,\"message\":\"body\"}", this.response.getContentAsString());
+ }
+
+ @Test
+ public void jsonpResponseBodyAdvice() throws Exception {
+
+ List> converters = new ArrayList<>();
+ converters.add(new MappingJackson2HttpMessageConverter());
+ this.handlerAdapter.setMessageConverters(converters);
+
+ this.webAppContext.registerSingleton("jsonpAdvice", JsonpAdvice.class);
+ this.webAppContext.refresh();
+
+ testJsonp("callback", true);
+ testJsonp("_callback", true);
+ testJsonp("_Call.bAcK", true);
+ testJsonp("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.", true);
+
+ testJsonp("