001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.kernel.servlet;
016    
017    import com.liferay.portal.kernel.util.CharPool;
018    import com.liferay.portal.kernel.util.GetterUtil;
019    import com.liferay.portal.kernel.util.HttpUtil;
020    import com.liferay.portal.kernel.util.KeyValuePair;
021    import com.liferay.portal.kernel.util.PropsKeys;
022    import com.liferay.portal.kernel.util.PropsUtil;
023    import com.liferay.portal.kernel.util.ServerDetector;
024    import com.liferay.portal.kernel.util.SortedProperties;
025    import com.liferay.portal.kernel.util.StringPool;
026    import com.liferay.portal.kernel.util.StringUtil;
027    import com.liferay.portal.kernel.util.Validator;
028    import com.liferay.portal.util.PortalUtil;
029    
030    import java.io.IOException;
031    
032    import java.util.ArrayList;
033    import java.util.Comparator;
034    import java.util.List;
035    import java.util.Map;
036    import java.util.Properties;
037    
038    import javax.portlet.PortletRequest;
039    import javax.portlet.PortletResponse;
040    
041    import javax.servlet.http.HttpServletRequest;
042    import javax.servlet.http.HttpServletResponse;
043    import javax.servlet.http.HttpServletResponseWrapper;
044    import javax.servlet.http.HttpSession;
045    
046    /**
047     * @author L??szl?? Csontos
048     * @author Shuyang Zhou
049     * @author Tomas Polesovsky
050     */
051    public class SanitizedServletResponse extends HttpServletResponseWrapper {
052    
053            public static void disableXSSAuditor(HttpServletResponse response) {
054                    response.setHeader(HttpHeaders.X_XSS_PROTECTION, "0");
055            }
056    
057            public static void disableXSSAuditor(PortletResponse portletResponse) {
058                    disableXSSAuditor(PortalUtil.getHttpServletResponse(portletResponse));
059            }
060    
061            public static void disableXSSAuditorOnNextRequest(
062                    HttpServletRequest request) {
063    
064                    HttpSession session = request.getSession();
065    
066                    session.setAttribute(_DISABLE_XSS_AUDITOR, Boolean.TRUE);
067            }
068    
069            public static void disableXSSAuditorOnNextRequest(
070                    PortletRequest portletRequest) {
071    
072                    disableXSSAuditorOnNextRequest(
073                            PortalUtil.getHttpServletRequest(portletRequest));
074            }
075    
076            public static HttpServletResponse getSanitizedServletResponse(
077                    HttpServletRequest request, HttpServletResponse response) {
078    
079                    setXContentOptions(request, response);
080                    setXFrameOptions(request, response);
081                    setXXSSProtection(request, response);
082    
083                    if (ServerDetector.isResin()) {
084                            response = new SanitizedServletResponse(response);
085                    }
086    
087                    return response;
088            }
089    
090            @Override
091            public void addHeader(String name, String value) {
092                    super.addHeader(
093                            HttpUtil.sanitizeHeader(name), HttpUtil.sanitizeHeader(value));
094            }
095    
096            @Override
097            public void sendRedirect(String location) throws IOException {
098                    super.sendRedirect(HttpUtil.sanitizeHeader(location));
099            }
100    
101            @Override
102            public void setCharacterEncoding(String charset) {
103                    super.setCharacterEncoding(HttpUtil.sanitizeHeader(charset));
104            }
105    
106            @Override
107            public void setContentType(String type) {
108                    super.setContentType(HttpUtil.sanitizeHeader(type));
109            }
110    
111            @Override
112            public void setHeader(String name, String value) {
113                    super.setHeader(
114                            HttpUtil.sanitizeHeader(name), HttpUtil.sanitizeHeader(value));
115            }
116    
117            protected static void setXContentOptions(
118                    HttpServletRequest request, HttpServletResponse response) {
119    
120                    if (!_X_CONTENT_TYPE_OPTIONS) {
121                            return;
122                    }
123    
124                    if (_X_CONTENT_TYPE_OPTIONS_URLS_EXCLUDES.length > 0) {
125                            String requestURI = request.getRequestURI();
126    
127                            for (String url : _X_CONTENT_TYPE_OPTIONS_URLS_EXCLUDES) {
128                                    if (requestURI.startsWith(url)) {
129                                            return;
130                                    }
131                            }
132                    }
133    
134                    response.setHeader(HttpHeaders.X_CONTENT_TYPE_OPTIONS, "nosniff");
135            }
136    
137            protected static void setXFrameOptions(
138                    HttpServletRequest request, HttpServletResponse response) {
139    
140                    if (!_X_FRAME_OPTIONS) {
141                            return;
142                    }
143    
144                    String requestURI = request.getRequestURI();
145    
146                    for (KeyValuePair xFrameOptionKVP : _xFrameOptionKVPs) {
147                            String url = xFrameOptionKVP.getKey();
148                            String value = xFrameOptionKVP.getValue();
149    
150                            if (requestURI.startsWith(url)) {
151                                    if (value != null) {
152                                            response.setHeader(
153                                                    HttpHeaders.X_FRAME_OPTIONS,
154                                                    xFrameOptionKVP.getValue());
155                                    }
156    
157                                    return;
158                            }
159                    }
160    
161                    response.setHeader(HttpHeaders.X_FRAME_OPTIONS, "DENY");
162            }
163    
164            protected static void setXXSSProtection(
165                    HttpServletRequest request, HttpServletResponse response) {
166    
167                    HttpSession session = request.getSession(false);
168    
169                    if ((session != null) &&
170                            (session.getAttribute(_DISABLE_XSS_AUDITOR) != null)) {
171    
172                            session.removeAttribute(_DISABLE_XSS_AUDITOR);
173    
174                            response.setHeader(HttpHeaders.X_XSS_PROTECTION, "0");
175    
176                            return;
177                    }
178    
179                    if (Validator.isNull(_X_XSS_PROTECTION)) {
180                            return;
181                    }
182    
183                    response.setHeader(HttpHeaders.X_XSS_PROTECTION, _X_XSS_PROTECTION);
184            }
185    
186            private SanitizedServletResponse(HttpServletResponse response) {
187                    super(response);
188            }
189    
190            private static final String _DISABLE_XSS_AUDITOR =
191                    SanitizedServletResponse.class.getName() + "DISABLE_XSS_AUDITOR";
192    
193            private static final boolean _X_CONTENT_TYPE_OPTIONS =
194                    GetterUtil.getBoolean(
195                            PropsUtil.get(PropsKeys.HTTP_HEADER_SECURE_X_CONTENT_TYPE_OPTIONS),
196                            true);
197    
198            private static final String[] _X_CONTENT_TYPE_OPTIONS_URLS_EXCLUDES =
199                    PropsUtil.getArray(
200                            PropsKeys.HTTP_HEADER_SECURE_X_CONTENT_TYPE_OPTIONS_URLS_EXCLUDES);
201    
202            private static final boolean _X_FRAME_OPTIONS;
203    
204            private static final String _X_XSS_PROTECTION = PropsUtil.get(
205                    PropsKeys.HTTP_HEADER_SECURE_X_XSS_PROTECTION);
206    
207            private static final KeyValuePair[] _xFrameOptionKVPs;
208    
209            static {
210                    Properties properties = new SortedProperties(
211                            new Comparator<String>() {
212    
213                                    @Override
214                                    public int compare(String key1, String key2) {
215                                            return GetterUtil.getIntegerStrict(key1) -
216                                                    GetterUtil.getIntegerStrict(key2);
217                                    }
218    
219                            },
220                            PropsUtil.getProperties(
221                                    PropsKeys.HTTP_HEADER_SECURE_X_FRAME_OPTIONS +
222                                            StringPool.PERIOD,
223                                    true));
224    
225                    List<KeyValuePair> xFrameOptionKVPs = new ArrayList<KeyValuePair>(
226                            properties.size());
227    
228                    for (Map.Entry<Object, Object> entry : properties.entrySet()) {
229                            String propertyValue = (String)entry.getValue();
230    
231                            String[] propertyValueParts = StringUtil.split(
232                                    propertyValue, CharPool.PIPE);
233    
234                            if (propertyValueParts.length > 2) {
235                                    continue;
236                            }
237    
238                            String url = StringUtil.trim(propertyValueParts[0]);
239    
240                            if (Validator.isNull(url)) {
241                                    continue;
242                            }
243    
244                            if (propertyValueParts.length == 1) {
245                                    xFrameOptionKVPs.add(new KeyValuePair(url, null));
246    
247                                    continue;
248                            }
249    
250                            String value = StringUtil.trim(propertyValueParts[1]);
251    
252                            if (Validator.isNull(value)) {
253                                    value = null;
254                            }
255    
256                            xFrameOptionKVPs.add(new KeyValuePair(url, value));
257                    }
258    
259                    _xFrameOptionKVPs = xFrameOptionKVPs.toArray(
260                            new KeyValuePair[xFrameOptionKVPs.size()]);
261    
262                    if (_xFrameOptionKVPs.length == 0) {
263                            _X_FRAME_OPTIONS = false;
264                    }
265                    else {
266                            _X_FRAME_OPTIONS = GetterUtil.getBoolean(
267                                    PropsUtil.get(PropsKeys.HTTP_HEADER_SECURE_X_FRAME_OPTIONS),
268                                    true);
269                    }
270            }
271    
272    }