Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-12 16:35:45 +01:00
Code Issues Packages Projects Releases Activity

merge with branch issue-320

Browse Source
This commit is contained in:
Sebastian Sdorra
2013-02-04 15:53:46 +01:00
parent c22fc85b7a 5ca6931b72
commit 8979ff837a
3 changed files with 141 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
scm-webapp/src/main/java/sonia/scm/api/rest/resources/RepositoryResource.java
View File

@@ -74,6 +74,7 @@ import sonia.scm.repository.api.RepositoryServiceFactory;
import sonia.scm.security.RepositoryPermission;
import sonia.scm.security.ScmSecurityException;
import sonia.scm.util.AssertUtil;
import sonia.scm.util.HttpUtil;
import sonia.scm.util.Util;
//~--- JDK imports ------------------------------------------------------------
@@ -509,6 +510,7 @@ public class RepositoryResource
{
builder.setPath(path);
}
//J-
builder.setDisableLastCommit(disableLastCommit)
.setDisableSubRepositoryDetection(disableSubRepositoryDetection)
@@ -791,6 +793,12 @@ public class RepositoryResource
output = new BrowserStreamingOutput(service, builder, path);
/**
* protection for crlf injection
* see https://bitbucket.org/sdorra/scm-manager/issue/320/crlf-injection-vulnerability-in-diff-api
*/
path = HttpUtil.removeCRLFInjectionChars(path);
String contentDispositionName = getContentDispositionNameFromPath(path);
response = Response.ok(output).header("Content-Disposition",
@@ -846,6 +854,12 @@ public class RepositoryResource
AssertUtil.assertIsNotEmpty(id);
AssertUtil.assertIsNotEmpty(revision);
/**
* check for a crlf injection attack
* see https://bitbucket.org/sdorra/scm-manager/issue/320/crlf-injection-vulnerability-in-diff-api
*/
HttpUtil.checkForCRLFInjection(revision);
RepositoryService service = null;
Response response = null;