001/** 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017package org.apache.activemq.util; 018 019import java.io.IOException; 020 021import javax.servlet.Filter; 022import javax.servlet.FilterChain; 023import javax.servlet.FilterConfig; 024import javax.servlet.ServletException; 025import javax.servlet.ServletRequest; 026import javax.servlet.ServletResponse; 027import javax.servlet.http.HttpServletRequest; 028import javax.servlet.http.HttpServletRequestWrapper; 029 030import org.slf4j.Logger; 031import org.slf4j.LoggerFactory; 032 033 034public class FilenameGuardFilter implements Filter { 035 036 private static final Logger LOG = LoggerFactory.getLogger(FilenameGuardFilter.class); 037 038 public void destroy() { 039 // nothing to destroy 040 } 041 042 public void init(FilterConfig config) throws ServletException { 043 // nothing to init 044 } 045 046 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { 047 if (request instanceof HttpServletRequest) { 048 HttpServletRequest httpRequest = (HttpServletRequest)request; 049 GuardedHttpServletRequest guardedRequest = new GuardedHttpServletRequest(httpRequest); 050 chain.doFilter(guardedRequest, response); 051 } else { 052 chain.doFilter(request, response); 053 } 054 } 055 056 private static class GuardedHttpServletRequest extends HttpServletRequestWrapper { 057 058 public GuardedHttpServletRequest(HttpServletRequest httpRequest) { 059 super(httpRequest); 060 } 061 062 private String guard(String filename) { 063 String guarded = filename.replace(":", "_"); 064 if (LOG.isDebugEnabled()) { 065 LOG.debug("guarded " + filename + " to " + guarded); 066 } 067 return guarded; 068 } 069 070 @Override 071 public String getParameter(String name) { 072 if (name.equals("Destination")) { 073 return guard(super.getParameter(name)); 074 } else { 075 return super.getParameter(name); 076 } 077 } 078 079 @Override 080 public String getPathInfo() { 081 return guard(super.getPathInfo()); 082 } 083 084 @Override 085 public String getPathTranslated() { 086 return guard(super.getPathTranslated()); 087 } 088 089 @Override 090 public String getRequestURI() { 091 return guard(super.getRequestURI()); 092 } 093 } 094}