WA-7048: Prevent XSS by always specifying a content-type for get requ…

…ests. Make sure that we always respond with a content-type, org.apache.catalina.servlets.WebdavServlet may not set it on all code paths.
oxygenxml · Feb 9, 2024 · 76389d9 · 76389d9
1 parent c3a2e2a
commit 76389d9
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/src/main/java/com/oxygenxml/webdavserver/WebappWebdavServlet.java b/src/main/java/com/oxygenxml/webdavserver/WebappWebdavServlet.java
@@ -40,7 +40,7 @@ public void service(HttpServletRequest req, HttpServletResponse resp)
       resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
       return;
     }
-
+    resp.setContentType("text/plain");
     webdavWrapper.service(req, resp);
   }
 

diff --git a/src/main/java/com/oxygenxml/webdavserver/WebdavServletWrapper.java b/src/main/java/com/oxygenxml/webdavserver/WebdavServletWrapper.java
@@ -121,6 +121,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
         response.getWriter().print("{\"trustedHostNotConfigured\": \"true\"}");
       }
     } else {
+      response.setContentType("application/octet-stream");
       super.doGet(request, response);
     }
   }
@@ -255,6 +256,8 @@ protected void service(HttpServletRequest req, HttpServletResponse resp)
         return;
       }
     }
+
+    resp.setContentType("application/octet-stream");
     super.service(req, resp);
   }
-Original file line number
+Diff line change
@@ Expand Up @@
           resp.setStatus(HttpServletResponse.SC_BAD_REQUEST);
           return;
         }
+        resp.setContentType("text/plain");
         webdavWrapper.service(req, resp);
       }
@@ Expand Down @@