Author: ron.sigal(a)jboss.com
Date: 2009-08-31 22:52:51 -0400 (Mon, 31 Aug 2009)
New Revision: 5411
Modified:
remoting2/branches/2.x/src/main/org/jboss/remoting/transport/coyote/CoyoteInvoker.java
Log:
JBREM-1101: Checks that application supplied content-type doesn't have LF or CR.
Modified:
remoting2/branches/2.x/src/main/org/jboss/remoting/transport/coyote/CoyoteInvoker.java
===================================================================
---
remoting2/branches/2.x/src/main/org/jboss/remoting/transport/coyote/CoyoteInvoker.java 2009-08-31
21:43:58 UTC (rev 5410)
+++
remoting2/branches/2.x/src/main/org/jboss/remoting/transport/coyote/CoyoteInvoker.java 2009-09-01
02:52:51 UTC (rev 5411)
@@ -509,10 +509,42 @@
case Version.VERSION_2_2:
{
String responseContentType = (String)
response.get("Content-Type");
- if(responseContentType == null)
+ if (responseContentType != null)
{
- responseContentType = responseObject == null ? req.getContentType() :
WebUtil.getContentType(responseObject);
+ if (isInvalidContentType(responseContentType))
+ {
+ log.warn("Ignoring invalid content-type from
ServerInvocationHandler: " + responseContentType);
+ if (responseObject == null)
+ {
+ responseContentType = req.getContentType();
+ if (isInvalidContentType(responseContentType))
+ {
+ log.warn("Ignoring invalid content-type from request: "
+ responseContentType);
+ responseContentType = WebUtil.getContentType(responseObject);
+ }
+ }
+ else
+ {
+ responseContentType = WebUtil.getContentType(responseObject);
+ }
+ }
}
+ else
+ {
+ if (responseObject == null)
+ {
+ responseContentType = req.getContentType();
+ if (isInvalidContentType(responseContentType))
+ {
+ log.warn("Ignoring invalid content-type from request: " +
responseContentType);
+ responseContentType = WebUtil.getContentType(responseObject);
+ }
+ }
+ else
+ {
+ responseContentType = WebUtil.getContentType(responseObject);
+ }
+ }
res.setContentType(responseContentType);
if (responseObject instanceof String)
@@ -1168,6 +1200,11 @@
return true;
}
+ static private boolean isInvalidContentType(String contentType)
+ {
+ return contentType.indexOf('\n') + contentType.indexOf('\r') >
-2;
+ }
+
static private Object forName(final String className) throws ClassNotFoundException
{
if (SecurityUtility.skipAccessControl())