1 |
|
|
2 |
|
|
3 |
|
|
4 |
|
|
5 |
|
|
6 |
|
|
7 |
|
|
8 |
|
|
9 |
|
|
10 |
|
|
11 |
|
|
12 |
|
|
13 |
|
|
14 |
|
|
15 |
|
|
16 |
|
|
17 |
|
|
18 |
|
|
19 |
|
|
20 |
|
package com.xpn.xwiki.web; |
21 |
|
|
22 |
|
import java.io.IOException; |
23 |
|
import java.io.InputStream; |
24 |
|
import java.nio.charset.IllegalCharsetNameException; |
25 |
|
import java.util.ArrayList; |
26 |
|
import java.util.Arrays; |
27 |
|
import java.util.Collections; |
28 |
|
import java.util.HashMap; |
29 |
|
import java.util.List; |
30 |
|
import java.util.Map; |
31 |
|
import java.util.regex.Matcher; |
32 |
|
import java.util.regex.Pattern; |
33 |
|
|
34 |
|
import javax.servlet.http.HttpServletResponse; |
35 |
|
|
36 |
|
import org.apache.commons.io.IOUtils; |
37 |
|
import org.apache.commons.io.input.BoundedInputStream; |
38 |
|
import org.apache.commons.lang3.StringUtils; |
39 |
|
import org.apache.commons.lang3.math.NumberUtils; |
40 |
|
import org.apache.commons.lang3.tuple.ImmutablePair; |
41 |
|
import org.apache.commons.lang3.tuple.Pair; |
42 |
|
import org.xwiki.configuration.ConfigurationSource; |
43 |
|
import org.xwiki.context.Execution; |
44 |
|
import org.xwiki.context.ExecutionContext; |
45 |
|
import org.xwiki.model.EntityType; |
46 |
|
import org.xwiki.model.reference.DocumentReference; |
47 |
|
import org.xwiki.model.reference.EntityReference; |
48 |
|
import org.xwiki.resource.ResourceReference; |
49 |
|
import org.xwiki.resource.ResourceReferenceManager; |
50 |
|
import org.xwiki.resource.entity.EntityResourceReference; |
51 |
|
|
52 |
|
import com.xpn.xwiki.XWiki; |
53 |
|
import com.xpn.xwiki.XWikiContext; |
54 |
|
import com.xpn.xwiki.XWikiException; |
55 |
|
import com.xpn.xwiki.doc.XWikiAttachment; |
56 |
|
import com.xpn.xwiki.doc.XWikiDocument; |
57 |
|
import com.xpn.xwiki.plugin.XWikiPluginManager; |
58 |
|
import com.xpn.xwiki.util.Util; |
59 |
|
|
60 |
|
|
61 |
|
|
62 |
|
|
63 |
|
@version |
64 |
|
|
|
|
| 92.4% |
Uncovered Elements: 16 (211) |
Complexity: 54 |
Complexity Density: 0.37 |
|
65 |
|
public class DownloadAction extends XWikiAction |
66 |
|
{ |
67 |
|
|
68 |
|
public static final String ACTION_NAME = "download"; |
69 |
|
|
70 |
|
|
71 |
|
public static final String ATTACHMENT = "attachment"; |
72 |
|
|
73 |
|
|
74 |
|
public static final List<String> MIMETYPE_WHITELIST = |
75 |
|
Arrays.asList("audio/basic", "audio/L24", "audio/mp4", "audio/mpeg", "audio/ogg", "audio/vorbis", |
76 |
|
"audio/vnd.rn-realaudio", "audio/vnd.wave", "audio/webm", "image/gif", "image/jpeg", "image/pjpeg", |
77 |
|
"image/png", "image/svg+xml", "image/tiff", "text/csv", "text/plain", "text/xml", "text/rtf", |
78 |
|
"video/mpeg", "video/ogg", "video/quicktime", "video/webm", "video/x-matroska", "video/x-ms-wmv", |
79 |
|
"video/x-flv"); |
80 |
|
|
81 |
|
|
82 |
|
public static final String WHITELIST_PROPERTY = "attachment.download.whitelist"; |
83 |
|
|
84 |
|
|
85 |
|
public static final String BLACKLIST_PROPERTY = "attachment.download.blacklist"; |
86 |
|
|
87 |
|
|
88 |
|
private static final String SEPARATOR = "/"; |
89 |
|
|
90 |
|
|
91 |
|
private static final String RANGE_HEADER_NAME = "Range"; |
92 |
|
|
93 |
|
|
94 |
|
private static final Pattern RANGE_HEADER_PATTERN = Pattern.compile("bytes=([0-9]+)?-([0-9]+)?"); |
95 |
|
|
96 |
|
|
97 |
|
|
98 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
|
99 |
43 |
public DownloadAction()... |
100 |
|
{ |
101 |
43 |
this.handleRedirectObject = true; |
102 |
|
} |
103 |
|
|
|
|
| 92% |
Uncovered Elements: 4 (50) |
Complexity: 11 |
Complexity Density: 0.31 |
|
104 |
211 |
@Override... |
105 |
|
public String render(XWikiContext context) throws XWikiException |
106 |
|
{ |
107 |
211 |
XWikiRequest request = context.getRequest(); |
108 |
210 |
XWikiResponse response = context.getResponse(); |
109 |
|
|
110 |
211 |
XWikiDocument doc = context.getDoc(); |
111 |
209 |
String filename = getFileName(); |
112 |
213 |
XWikiAttachment attachment = getAttachment(request, doc, filename); |
113 |
|
|
114 |
213 |
Map<String, Object> backwardCompatibilityContextObjects = null; |
115 |
|
|
116 |
213 |
if (attachment == null) { |
117 |
|
|
118 |
|
|
119 |
|
|
120 |
|
|
121 |
|
|
122 |
|
|
123 |
|
|
124 |
|
|
125 |
|
|
126 |
|
|
127 |
|
|
128 |
|
|
129 |
|
|
130 |
|
|
131 |
5 |
Pair<XWikiDocument, XWikiAttachment> result = |
132 |
|
extractAttachmentAndDocumentFromURLWithoutSupportingNestedSpaces(request, context); |
133 |
|
|
134 |
5 |
if (result == null) { |
135 |
4 |
throwNotFoundException(filename); |
136 |
|
} |
137 |
|
|
138 |
1 |
XWikiDocument backwardCompatibilityDocument = result.getLeft(); |
139 |
1 |
attachment = result.getRight(); |
140 |
|
|
141 |
|
|
142 |
1 |
backwardCompatibilityContextObjects = new HashMap<>(); |
143 |
1 |
pushDocumentInContext(backwardCompatibilityContextObjects, |
144 |
|
backwardCompatibilityDocument.getDocumentReference()); |
145 |
|
} |
146 |
|
|
147 |
209 |
try { |
148 |
210 |
XWikiPluginManager plugins = context.getWiki().getPluginManager(); |
149 |
209 |
attachment = plugins.downloadAttachment(attachment, context); |
150 |
|
|
151 |
208 |
if (attachment == null) { |
152 |
0 |
throwNotFoundException(filename); |
153 |
|
} |
154 |
|
|
155 |
|
|
156 |
|
|
157 |
208 |
try { |
158 |
209 |
attachment.getContentSize(context); |
159 |
|
} catch (XWikiException e) { |
160 |
0 |
Object[] args = { filename }; |
161 |
0 |
throw new XWikiException(XWikiException.MODULE_XWIKI_APP, |
162 |
|
XWikiException.ERROR_XWIKI_APP_ATTACHMENT_NOT_FOUND, |
163 |
|
"Attachment content {0} not found", null, args); |
164 |
|
} |
165 |
|
|
166 |
207 |
long lastModifiedOnClient = request.getDateHeader("If-Modified-Since"); |
167 |
209 |
long lastModifiedOnServer = attachment.getDate().getTime(); |
168 |
204 |
if (lastModifiedOnClient != -1 && lastModifiedOnClient >= lastModifiedOnServer) { |
169 |
133 |
response.setStatus(HttpServletResponse.SC_NOT_MODIFIED); |
170 |
135 |
return null; |
171 |
|
} |
172 |
|
|
173 |
|
|
174 |
70 |
if (request.getHeader(RANGE_HEADER_NAME) != null) { |
175 |
17 |
try { |
176 |
17 |
if (sendPartialContent(attachment, request, response, context)) { |
177 |
12 |
return null; |
178 |
|
} |
179 |
|
} catch (IOException ex) { |
180 |
|
|
181 |
|
} |
182 |
|
} |
183 |
58 |
sendContent(attachment, request, response, filename, context); |
184 |
58 |
return null; |
185 |
|
} finally { |
186 |
207 |
if (backwardCompatibilityContextObjects != null) { |
187 |
1 |
popDocumentFromContext(backwardCompatibilityContextObjects); |
188 |
|
} |
189 |
|
} |
190 |
|
} |
191 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (4) |
Complexity: 2 |
Complexity Density: 1 |
|
192 |
4 |
private void throwNotFoundException(String filename) throws XWikiException... |
193 |
|
{ |
194 |
4 |
String message = filename == null ? "Attachment not found" : |
195 |
|
String.format("Attachment [%s] not found", filename); |
196 |
4 |
throw new XWikiException(XWikiException.MODULE_XWIKI_APP, |
197 |
|
XWikiException.ERROR_XWIKI_APP_ATTACHMENT_NOT_FOUND, message); |
198 |
|
} |
199 |
|
|
200 |
|
|
201 |
|
|
202 |
|
|
203 |
|
|
204 |
|
|
205 |
|
|
206 |
|
@param |
207 |
|
@param |
208 |
|
@param |
209 |
|
@param |
210 |
|
@return |
211 |
|
|
212 |
|
@throws |
213 |
|
@throws |
214 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (26) |
Complexity: 7 |
Complexity Density: 0.39 |
|
215 |
17 |
private boolean sendPartialContent(final XWikiAttachment attachment,... |
216 |
|
final XWikiRequest request, |
217 |
|
final XWikiResponse response, |
218 |
|
final XWikiContext context) |
219 |
|
throws XWikiException, IOException |
220 |
|
{ |
221 |
17 |
String range = request.getHeader(RANGE_HEADER_NAME); |
222 |
17 |
Matcher m = RANGE_HEADER_PATTERN.matcher(range); |
223 |
17 |
if (m.matches()) { |
224 |
14 |
String startStr = m.group(1); |
225 |
14 |
String endStr = m.group(2); |
226 |
14 |
Long start = NumberUtils.createLong(startStr); |
227 |
14 |
Long end = NumberUtils.createLong(endStr); |
228 |
14 |
if (start == null && end != null && end > 0) { |
229 |
|
|
230 |
3 |
start = Math.max(attachment.getContentSize(context) - end, 0L); |
231 |
3 |
end = attachment.getContentSize(context) - 1L; |
232 |
|
} |
233 |
14 |
if (!isValidRange(start, end)) { |
234 |
2 |
return false; |
235 |
|
} |
236 |
12 |
if (end == null) { |
237 |
3 |
end = attachment.getContentSize(context) - 1L; |
238 |
|
} |
239 |
12 |
end = Math.min(end, attachment.getContentSize(context) - 1L); |
240 |
12 |
writeByteRange(attachment, start, end, request, response, context); |
241 |
12 |
return true; |
242 |
|
} |
243 |
3 |
return false; |
244 |
|
} |
245 |
|
|
246 |
|
|
247 |
|
|
248 |
|
|
249 |
|
|
250 |
|
@param |
251 |
|
@param |
252 |
|
@param |
253 |
|
@param |
254 |
|
@param |
255 |
|
@param |
256 |
|
@throws |
257 |
|
@throws |
258 |
|
|
|
|
| 93.3% |
Uncovered Elements: 1 (15) |
Complexity: 4 |
Complexity Density: 0.36 |
|
259 |
12 |
private void writeByteRange(final XWikiAttachment attachment, Long start, Long end,... |
260 |
|
final XWikiRequest request, |
261 |
|
final XWikiResponse response, |
262 |
|
final XWikiContext context) |
263 |
|
throws XWikiException, IOException |
264 |
|
{ |
265 |
12 |
if (start >= 0 && start < attachment.getContentSize(context)) { |
266 |
10 |
InputStream data = attachment.getContentInputStream(context); |
267 |
10 |
data = new BoundedInputStream(data, end + 1); |
268 |
10 |
data.skip(start); |
269 |
10 |
setCommonHeaders(attachment, request, response, context); |
270 |
10 |
response.setStatus(HttpServletResponse.SC_PARTIAL_CONTENT); |
271 |
10 |
if ((end - start + 1L) < Integer.MAX_VALUE) { |
272 |
10 |
response.setContentLength((int) (end - start + 1)); |
273 |
|
} |
274 |
10 |
response.setHeader("Content-Range", "bytes " + start + "-" + end + SEPARATOR |
275 |
|
+ attachment.getContentSize(context)); |
276 |
10 |
IOUtils.copyLarge(data, response.getOutputStream()); |
277 |
|
} else { |
278 |
2 |
response.setStatus(HttpServletResponse.SC_REQUESTED_RANGE_NOT_SATISFIABLE); |
279 |
|
} |
280 |
|
} |
281 |
|
|
282 |
|
|
283 |
|
|
284 |
|
|
285 |
|
@param |
286 |
|
@param |
287 |
|
@param |
288 |
|
@param |
289 |
|
@param |
290 |
|
@throws |
291 |
|
|
|
|
| 81.8% |
Uncovered Elements: 2 (11) |
Complexity: 3 |
Complexity Density: 0.33 |
|
292 |
58 |
private void sendContent(final XWikiAttachment attachment,... |
293 |
|
final XWikiRequest request, |
294 |
|
final XWikiResponse response, |
295 |
|
final String filename, |
296 |
|
final XWikiContext context) |
297 |
|
throws XWikiException |
298 |
|
{ |
299 |
58 |
InputStream stream = null; |
300 |
58 |
try { |
301 |
58 |
setCommonHeaders(attachment, request, response, context); |
302 |
58 |
response.setContentLength(attachment.getContentSize(context)); |
303 |
58 |
stream = attachment.getContentInputStream(context); |
304 |
58 |
IOUtils.copy(stream, response.getOutputStream()); |
305 |
|
} catch (IOException e) { |
306 |
0 |
throw new XWikiException(XWikiException.MODULE_XWIKI_APP, |
307 |
|
XWikiException.ERROR_XWIKI_APP_SEND_RESPONSE_EXCEPTION, |
308 |
|
"Exception while sending response", e); |
309 |
|
} finally { |
310 |
58 |
if (stream != null) { |
311 |
58 |
IOUtils.closeQuietly(stream); |
312 |
|
} |
313 |
|
} |
314 |
|
} |
315 |
|
|
316 |
|
|
317 |
|
@return |
318 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (6) |
Complexity: 2 |
Complexity Density: 0.5 |
|
319 |
209 |
private String getFileName()... |
320 |
|
{ |
321 |
|
|
322 |
211 |
ResourceReference resourceReference = Utils.getComponent(ResourceReferenceManager.class).getResourceReference(); |
323 |
213 |
EntityResourceReference entityResource = (EntityResourceReference) resourceReference; |
324 |
|
|
325 |
|
|
326 |
|
|
327 |
214 |
EntityReference attachmentReference = |
328 |
|
entityResource.getEntityReference().extractReference(EntityType.ATTACHMENT); |
329 |
|
|
330 |
214 |
return attachmentReference == null ? null : attachmentReference.getName(); |
331 |
|
} |
332 |
|
|
|
|
| 89.7% |
Uncovered Elements: 3 (29) |
Complexity: 5 |
Complexity Density: 0.22 |
|
333 |
5 |
private Pair<XWikiDocument, XWikiAttachment> extractAttachmentAndDocumentFromURLWithoutSupportingNestedSpaces(... |
334 |
|
XWikiRequest request, XWikiContext context) |
335 |
|
{ |
336 |
5 |
String path = request.getRequestURI(); |
337 |
|
|
338 |
|
|
339 |
|
|
340 |
5 |
int pos = path.indexOf(SEPARATOR + ACTION_NAME); |
341 |
5 |
String subPath = path.substring(pos + (SEPARATOR + ACTION_NAME).length() + 1); |
342 |
|
|
343 |
5 |
List<String> segments = new ArrayList<>(); |
344 |
5 |
for (String pathSegment : subPath.split(SEPARATOR, -1)) { |
345 |
14 |
segments.add(Util.decodeURI(pathSegment, context)); |
346 |
|
} |
347 |
|
|
348 |
|
|
349 |
5 |
if (segments.size() < 3) { |
350 |
2 |
return null; |
351 |
|
} |
352 |
|
|
353 |
3 |
String spaceName = segments.get(0); |
354 |
3 |
String pageName = segments.get(1); |
355 |
3 |
String attachmentName = segments.get(2); |
356 |
|
|
357 |
|
|
358 |
3 |
DocumentReference reference = new DocumentReference(context.getWikiId(), spaceName, pageName); |
359 |
3 |
XWiki xwiki = context.getWiki(); |
360 |
|
|
361 |
3 |
XWikiDocument backwardCompatibilityDocument; |
362 |
3 |
try { |
363 |
3 |
backwardCompatibilityDocument = xwiki.getDocument(reference, context); |
364 |
3 |
if (!backwardCompatibilityDocument.isNew()) { |
365 |
1 |
if (!context.getWiki().checkAccess(context.getAction(), backwardCompatibilityDocument, context)) { |
366 |
|
|
367 |
0 |
return null; |
368 |
|
} |
369 |
|
} else { |
370 |
|
|
371 |
2 |
return null; |
372 |
|
} |
373 |
|
} catch (XWikiException e) { |
374 |
|
|
375 |
|
|
376 |
0 |
return null; |
377 |
|
} |
378 |
|
|
379 |
|
|
380 |
1 |
XWikiAttachment attachment = getAttachment(request, backwardCompatibilityDocument, attachmentName); |
381 |
|
|
382 |
1 |
return new ImmutablePair<>(backwardCompatibilityDocument, attachment); |
383 |
|
} |
384 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (4) |
Complexity: 1 |
Complexity Density: 0.25 |
|
385 |
1 |
private void pushDocumentInContext(Map<String, Object> backupObjects, DocumentReference documentReference)... |
386 |
|
throws XWikiException |
387 |
|
{ |
388 |
1 |
XWikiContext xcontext = getContext(); |
389 |
|
|
390 |
|
|
391 |
1 |
XWikiDocument.backupContext(backupObjects, xcontext); |
392 |
|
|
393 |
|
|
394 |
1 |
xcontext = getContext(); |
395 |
|
|
396 |
|
|
397 |
1 |
xcontext.getWiki().getDocument(documentReference, xcontext).setAsContextDoc(xcontext); |
398 |
|
} |
399 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
|
400 |
1 |
private void popDocumentFromContext(Map<String, Object> backupObjects)... |
401 |
|
{ |
402 |
1 |
XWikiDocument.restoreContext(backupObjects, getContext()); |
403 |
|
} |
404 |
|
|
|
|
| 80% |
Uncovered Elements: 1 (5) |
Complexity: 2 |
Complexity Density: 0.67 |
|
405 |
3 |
private XWikiContext getContext()... |
406 |
|
{ |
407 |
3 |
Execution execution = Utils.getComponent(Execution.class); |
408 |
3 |
ExecutionContext econtext = execution.getContext(); |
409 |
3 |
return econtext != null ? (XWikiContext) econtext.getProperty("xwikicontext") : null; |
410 |
|
} |
411 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (12) |
Complexity: 3 |
Complexity Density: 0.38 |
|
412 |
215 |
private XWikiAttachment getAttachment(XWikiRequest request, XWikiDocument document, String filename)... |
413 |
|
{ |
414 |
214 |
XWikiAttachment attachment = null; |
415 |
|
|
416 |
213 |
String idStr = request.getParameter("id"); |
417 |
212 |
if (StringUtils.isNumeric(idStr)) { |
418 |
2 |
int id = Integer.parseInt(idStr); |
419 |
2 |
if (document.getAttachmentList().size() > id) { |
420 |
1 |
attachment = document.getAttachmentList().get(id); |
421 |
|
} |
422 |
|
} else { |
423 |
207 |
attachment = document.getAttachment(filename); |
424 |
|
} |
425 |
|
|
426 |
214 |
return attachment; |
427 |
|
} |
428 |
|
|
429 |
|
|
430 |
|
|
431 |
|
|
432 |
|
@param |
433 |
|
@param |
434 |
|
@param |
435 |
|
@param |
436 |
|
|
|
|
| 89.5% |
Uncovered Elements: 2 (19) |
Complexity: 6 |
Complexity Density: 0.35 |
|
437 |
68 |
private void setCommonHeaders(final XWikiAttachment attachment,... |
438 |
|
final XWikiRequest request, |
439 |
|
final XWikiResponse response, |
440 |
|
final XWikiContext context) |
441 |
|
{ |
442 |
|
|
443 |
68 |
String mimetype = attachment.getMimeType(context); |
444 |
68 |
response.setContentType(mimetype); |
445 |
68 |
try { |
446 |
68 |
response.setCharacterEncoding(""); |
447 |
|
} catch (IllegalCharsetNameException ex) { |
448 |
0 |
response.setCharacterEncoding(XWiki.DEFAULT_ENCODING); |
449 |
|
} |
450 |
|
|
451 |
68 |
String ofilename = |
452 |
|
Util.encodeURI(attachment.getFilename(), context).replaceAll("\\+", "%20"); |
453 |
|
|
454 |
|
|
455 |
|
|
456 |
|
|
457 |
|
|
458 |
|
|
459 |
68 |
String dispType = "inline"; |
460 |
|
|
461 |
|
|
462 |
68 |
boolean hasPR = false; |
463 |
68 |
String author = attachment.getAuthor(); |
464 |
68 |
try { |
465 |
68 |
hasPR = |
466 |
|
context.getWiki().getRightService().hasAccessLevel( |
467 |
|
"programming", author, "XWiki.XWikiPreferences", context); |
468 |
|
} catch (Exception e) { |
469 |
0 |
hasPR = false; |
470 |
|
} |
471 |
|
|
472 |
68 |
if ((!hasPR && !isAuthorized(mimetype)) || "1".equals(request.getParameter("force-download"))) { |
473 |
5 |
dispType = ATTACHMENT; |
474 |
|
} |
475 |
|
|
476 |
|
|
477 |
68 |
response.addHeader("Content-disposition", dispType + "; filename*=utf-8''" + ofilename); |
478 |
|
|
479 |
68 |
response.setDateHeader("Last-Modified", attachment.getDate().getTime()); |
480 |
|
|
481 |
68 |
response.setHeader("Accept-Ranges", "bytes"); |
482 |
|
} |
483 |
|
|
484 |
|
|
485 |
|
|
486 |
|
|
487 |
|
|
488 |
|
|
489 |
|
@param |
490 |
|
|
491 |
|
@param |
492 |
|
|
493 |
|
@return |
494 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (5) |
Complexity: 3 |
Complexity Density: 1 |
|
495 |
14 |
private boolean isValidRange(Long start, Long end)... |
496 |
|
{ |
497 |
14 |
if (start == null && end == null) { |
498 |
1 |
return false; |
499 |
|
} |
500 |
13 |
return start == null || end == null || end >= start; |
501 |
|
} |
502 |
|
|
|
|
| 62.5% |
Uncovered Elements: 3 (8) |
Complexity: 3 |
Complexity Density: 0.5 |
|
503 |
68 |
private boolean isAuthorized(String mimeType)... |
504 |
|
{ |
505 |
68 |
ConfigurationSource configuration = Utils.getComponent(ConfigurationSource.class, "xwikiproperties"); |
506 |
68 |
if (configuration.containsKey(BLACKLIST_PROPERTY) && !configuration.containsKey(WHITELIST_PROPERTY)) { |
507 |
0 |
List<String> blackList = (configuration.getProperty(BLACKLIST_PROPERTY, Collections.<String>emptyList())); |
508 |
0 |
return !blackList.contains(mimeType); |
509 |
|
} else { |
510 |
68 |
List<String> whiteList = configuration.getProperty(WHITELIST_PROPERTY, MIMETYPE_WHITELIST); |
511 |
68 |
return whiteList.contains(mimeType); |
512 |
|
} |
513 |
|
} |
514 |
|
} |