1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 package info.magnolia.cms.filters;
35
36 import info.magnolia.cms.beans.config.MIMEMapping;
37 import info.magnolia.cms.beans.config.ServerConfiguration;
38 import info.magnolia.cms.core.AggregationState;
39 import info.magnolia.cms.util.ServletUtil;
40 import info.magnolia.context.MgnlContext;
41 import info.magnolia.util.EscapeUtil;
42
43 import java.io.IOException;
44 import java.io.UnsupportedEncodingException;
45 import java.net.URI;
46 import java.net.URLDecoder;
47
48 import javax.inject.Inject;
49 import javax.servlet.FilterChain;
50 import javax.servlet.ServletException;
51 import javax.servlet.http.HttpServletRequest;
52 import javax.servlet.http.HttpServletResponse;
53
54 import org.apache.commons.lang3.StringUtils;
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70 public class ContentTypeFilter extends AbstractMgnlFilter {
71
72 private static final org.slf4j.Logger log = org.slf4j.LoggerFactory.getLogger(ContentTypeFilter.class);
73
74 private boolean sanitizeXssUri = true;
75
76
77
78
79 private static final String AGGREGATION_STATE_INITIALIZED = ContentTypeFilter.class.getName() + ".aggregationStateInitialized";
80
81 private boolean registeredExtensionsOnly = false;
82 private boolean validateContentType = false;
83
84 private ServerConfiguration serverConfiguration;
85
86
87
88
89 @Deprecated
90 public ContentTypeFilter() {
91 }
92
93 @Inject
94 public ContentTypeFilter(ServerConfiguration serverConfiguration) {
95 this.serverConfiguration = serverConfiguration;
96 }
97
98
99 @Override
100 public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
101
102
103
104 if (request.getAttribute(AGGREGATION_STATE_INITIALIZED) != null) {
105 MgnlContext.resetAggregationState();
106 } else {
107 request.setAttribute(AGGREGATION_STATE_INITIALIZED, Boolean.TRUE);
108 }
109
110 final String originalUri = ServletUtil.getOriginalRequestURI(request);
111 final String originalUrl = ServletUtil.getOriginalRequestURLIncludingQueryString(request);
112 final String extension = getUriExtension(originalUri);
113 final String mimeType = getMimeType(extension, response);
114 if (isRegisteredExtensionsOnly() && mimeType == null && !response.isCommitted()) {
115 response.sendError(HttpServletResponse.SC_BAD_REQUEST, String.format("Unsupported extension=%1$s.", extension));
116 return;
117 }
118 final String characterEncoding = setupCharacterEncoding(mimeType, request, response);
119 final AggregationState aggregationState = MgnlContext.getAggregationState();
120 aggregationState.setCharacterEncoding(characterEncoding);
121
122 final String decodedOriginalUri = decodeUri(originalUri, characterEncoding);
123 aggregationState.setOriginalURI(decodedOriginalUri);
124
125 try {
126 final String decodedOriginalUrl = decodeUri(originalUrl, characterEncoding);
127 aggregationState.setOriginalURL(decodedOriginalUrl);
128 } catch (IllegalArgumentException e) {
129
130 if (!response.isCommitted()) {
131 response.sendError(HttpServletResponse.SC_BAD_REQUEST, "URL is malformed (not encoded properly).");
132 }
133
134 return;
135 }
136 aggregationState.setOriginalBrowserURI(originalUri);
137 aggregationState.setOriginalBrowserURL(originalUrl);
138 final String requestURI = URI.create(ServletUtil.getRequestUri(request)).normalize().getRawPath();
139 final String currentURI = decodeUri(requestURI, characterEncoding);
140 aggregationState.setCurrentURI(currentURI);
141 aggregationState.setExtension(extension);
142 aggregationState.setQueryString(request.getQueryString());
143
144 if (isValidateContentType()) {
145 ContentTypeCheckingResponseWrapper resWrapper = new ContentTypeCheckingResponseWrapper(response, extension);
146 chain.doFilter(request, resWrapper);
147 } else {
148 chain.doFilter(request, response);
149 }
150 if (response.getContentType() == null) {
151 response.setContentType(mimeType);
152 }
153 }
154
155 protected String getUriExtension(String uri) {
156 final String fileName = StringUtils.substringAfterLast(uri, "/");
157 return StringUtils.substringAfterLast(fileName, ".");
158 }
159
160 protected String getMimeType(String extension, HttpServletResponse response) {
161 final String mimeType;
162
163 if (isRegisteredExtensionsOnly()) {
164 if (StringUtils.isBlank(extension)) {
165 extension = serverConfiguration.getDefaultExtension();
166 if (StringUtils.isBlank(extension)) {
167 extension = MIMEMapping.DEFAULT_EXTENSION;
168 }
169 }
170 mimeType = MIMEMapping.getMIMEType(extension);
171 if (mimeType == null) {
172 return null;
173 }
174 } else {
175 mimeType = MIMEMapping.getMIMETypeOrDefault(extension);
176 }
177
178 return mimeType;
179 }
180
181 protected String setupCharacterEncoding(String mimeType, HttpServletRequest request, HttpServletResponse response) {
182 final String characterEncoding = MIMEMapping.getContentEncodingOrDefault(mimeType);
183
184 try {
185
186 if (request.getCharacterEncoding() == null) {
187 request.setCharacterEncoding(characterEncoding);
188 }
189 } catch (UnsupportedEncodingException e) {
190 log.error("Can't set character encoding for the request (mimetype={})", mimeType, e);
191 }
192
193 response.setCharacterEncoding(characterEncoding);
194
195 return characterEncoding;
196 }
197
198
199
200
201
202
203 private String sanitizeXss(String uri) {
204 final String afterLastDot = StringUtils.substringAfterLast(uri, ".");
205 if (StringUtils.isNotEmpty(afterLastDot)) {
206 final String xssEscapedAfterLastDot = EscapeUtil.escapeXss(afterLastDot);
207 final String sanitizedXssUri = StringUtils.removeEnd(uri, afterLastDot).concat(xssEscapedAfterLastDot);
208 return sanitizedXssUri;
209 }
210
211 return uri;
212 }
213
214
215
216
217 private String decodeUri(String uri, String characterEncoding) throws UnsupportedEncodingException {
218 final String decodedUri = URLDecoder.decode(uri, characterEncoding);
219 return isSanitizeXssUri() ? sanitizeXss(decodedUri) : decodedUri;
220 }
221
222 public boolean isSanitizeXssUri() {
223 return sanitizeXssUri;
224 }
225
226 public void setSanitizeXssUri(boolean sanitizeXssUri) {
227 this.sanitizeXssUri = sanitizeXssUri;
228 }
229
230 public boolean isRegisteredExtensionsOnly() {
231 return registeredExtensionsOnly;
232 }
233
234 public void setRegisteredExtensionsOnly(boolean registeredExtensionsOnly) {
235 this.registeredExtensionsOnly = registeredExtensionsOnly;
236 }
237
238 public boolean isValidateContentType() {
239 return validateContentType;
240 }
241
242 public void setValidateContentType(boolean validateContentType) {
243 this.validateContentType = validateContentType;
244 }
245
246
247
248
249 @Deprecated
250 protected String setupContentTypeAndCharacterEncoding(String extension, HttpServletRequest request, HttpServletResponse response) {
251 final String mimeType = setupContentType(extension, response);
252 return setupCharacterEncoding(mimeType, request, response);
253 }
254
255
256
257
258 @Deprecated
259 protected String setupContentType(String extension, HttpServletResponse response) {
260 return getMimeType(extension, response);
261 }
262 }