001/**
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017package org.apache.activemq.util;
018
019import java.io.IOException;
020
021import javax.servlet.Filter;
022import javax.servlet.FilterChain;
023import javax.servlet.FilterConfig;
024import javax.servlet.ServletException;
025import javax.servlet.ServletRequest;
026import javax.servlet.ServletResponse;
027import javax.servlet.http.HttpServletRequest;
028import javax.servlet.http.HttpServletRequestWrapper;
029
030import org.slf4j.Logger;
031import org.slf4j.LoggerFactory;
032
033
034public class FilenameGuardFilter implements Filter {
035
036    private static final Logger LOG = LoggerFactory.getLogger(FilenameGuardFilter.class);
037    
038    public void destroy() {
039        // nothing to destroy
040    }
041
042    public void init(FilterConfig config) throws ServletException {
043        // nothing to init
044    }
045
046    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
047        if (request instanceof HttpServletRequest) {
048            HttpServletRequest httpRequest = (HttpServletRequest)request;
049            GuardedHttpServletRequest guardedRequest = new GuardedHttpServletRequest(httpRequest);
050            chain.doFilter(guardedRequest, response);
051        } else {
052            chain.doFilter(request, response);
053        }
054    }
055
056    private static class GuardedHttpServletRequest extends HttpServletRequestWrapper {
057
058        public GuardedHttpServletRequest(HttpServletRequest httpRequest) {
059            super(httpRequest);
060        }
061
062        private String guard(String filename) {
063            String guarded = filename.replace(":", "_");
064            if (LOG.isDebugEnabled()) {
065                LOG.debug("guarded " + filename + " to " + guarded);
066            }
067            return guarded;
068        }
069
070        @Override
071        public String getParameter(String name) {
072            if (name.equals("Destination")) {
073                return guard(super.getParameter(name));
074            } else {
075                return super.getParameter(name);
076            }
077        }
078
079        @Override
080        public String getPathInfo() {
081            return guard(super.getPathInfo());
082        }
083
084        @Override
085        public String getPathTranslated() {
086            return guard(super.getPathTranslated());
087        }
088
089        @Override
090        public String getRequestURI() {
091            return guard(super.getRequestURI());
092        }
093    }
094}