001/** 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017package org.apache.activemq.util; 018 019import java.io.IOException; 020import java.nio.file.FileSystems; 021 022import javax.servlet.Filter; 023import javax.servlet.FilterChain; 024import javax.servlet.FilterConfig; 025import javax.servlet.ServletException; 026import javax.servlet.ServletRequest; 027import javax.servlet.ServletResponse; 028import javax.servlet.http.HttpServletRequest; 029import javax.servlet.http.HttpServletRequestWrapper; 030 031import org.slf4j.Logger; 032import org.slf4j.LoggerFactory; 033 034 035public class FilenameGuardFilter implements Filter { 036 037 private static final Logger LOG = LoggerFactory.getLogger(FilenameGuardFilter.class); 038 039 public void destroy() { 040 // nothing to destroy 041 } 042 043 public void init(FilterConfig config) throws ServletException { 044 // nothing to init 045 } 046 047 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { 048 if (request instanceof HttpServletRequest) { 049 HttpServletRequest httpRequest = (HttpServletRequest)request; 050 GuardedHttpServletRequest guardedRequest = new GuardedHttpServletRequest(httpRequest); 051 chain.doFilter(guardedRequest, response); 052 } else { 053 chain.doFilter(request, response); 054 } 055 } 056 057 private static class GuardedHttpServletRequest extends HttpServletRequestWrapper { 058 059 public GuardedHttpServletRequest(HttpServletRequest httpRequest) { 060 super(httpRequest); 061 } 062 063 private String guard(String filename) { 064 String guarded = filename.replace(":", "_"); 065 guarded = FileSystems.getDefault().getPath(guarded).normalize().toString(); 066 if (LOG.isDebugEnabled()) { 067 LOG.debug("guarded " + filename + " to " + guarded); 068 } 069 return guarded; 070 } 071 072 @Override 073 public String getParameter(String name) { 074 if (name.equals("Destination")) { 075 return guard(super.getParameter(name)); 076 } else { 077 return super.getParameter(name); 078 } 079 } 080 081 @Override 082 public String getPathInfo() { 083 return guard(super.getPathInfo()); 084 } 085 086 @Override 087 public String getPathTranslated() { 088 return guard(super.getPathTranslated()); 089 } 090 091 @Override 092 public String getRequestURI() { 093 return guard(super.getRequestURI()); 094 } 095 } 096}