yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adds AngularJsonMediaTypeFormatter and ensures our controllers all use this formatter in order to enable angular's JSON Vulnerability protection.

Browse Source
This commit is contained in:
Shannon
2013-12-02 13:31:44 +11:00
parent 1ac6f6db50
commit 33c32579c8
7 changed files with 71 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/Umbraco.Web/Editors/AuthenticationController.cs
View File

@@ -4,6 +4,7 @@ using System.Net;
using System.Net.Http;
using System.Web;
using System.Web.Http;
using System.Web.Http.Controllers;
using System.Web.Security;
using AutoMapper;
using Umbraco.Core;
@@ -33,10 +34,10 @@ namespace Umbraco.Web.Editors
/// Remove the xml formatter... only support JSON!
/// </summary>
/// <param name="controllerContext"></param>
protected override void Initialize(global::System.Web.Http.Controllers.HttpControllerContext controllerContext)
protected override void Initialize(HttpControllerContext controllerContext)
{
base.Initialize(controllerContext);
controllerContext.Configuration.Formatters.Remove(controllerContext.Configuration.Formatters.XmlFormatter);
controllerContext.EnsureJsonOutputOnly();
}
/// <summary>

5
src/Umbraco.Web/Editors/UmbracoAuthorizedJsonController.cs
View File

@@ -1,4 +1,5 @@
using Umbraco.Web.WebApi;
using System.Web.Http.Controllers;
using Umbraco.Web.WebApi;
namespace Umbraco.Web.Editors
{
@@ -19,7 +20,7 @@ namespace Umbraco.Web.Editors
/// Remove the xml formatter... only support JSON!
/// </summary>
/// <param name="controllerContext"></param>
protected override void Initialize(global::System.Web.Http.Controllers.HttpControllerContext controllerContext)
protected override void Initialize(HttpControllerContext controllerContext)
{
base.Initialize(controllerContext);
controllerContext.EnsureJsonOutputOnly();

2
src/Umbraco.Web/Trees/ApplicationTreeController.cs
View File

@@ -32,7 +32,7 @@ namespace Umbraco.Web.Trees
protected override void Initialize(global::System.Web.Http.Controllers.HttpControllerContext controllerContext)
{
base.Initialize(controllerContext);
controllerContext.Configuration.Formatters.Remove(controllerContext.Configuration.Formatters.XmlFormatter);
controllerContext.EnsureJsonOutputOnly();
}
/// <summary>

2
src/Umbraco.Web/Trees/TreeControllerBase.cs
View File

@@ -24,7 +24,7 @@ namespace Umbraco.Web.Trees
protected override void Initialize(global::System.Web.Http.Controllers.HttpControllerContext controllerContext)
{
base.Initialize(controllerContext);
controllerContext.Configuration.Formatters.Remove(controllerContext.Configuration.Formatters.XmlFormatter);
controllerContext.EnsureJsonOutputOnly();
}
/// <summary>

1
src/Umbraco.Web/Umbraco.Web.csproj
View File

@@ -438,6 +438,7 @@
<DesignTime>True</DesignTime>
<DependentUpon>Reference.map</DependentUpon>
</Compile>
<Compile Include="WebApi\AngularJsonMediaTypeFormatter.cs" />
<Compile Include="WebApi\Binders\MemberBinder.cs" />
<Compile Include="WebApi\Filters\FilterGrouping.cs" />
<Compile Include="WebApi\HttpControllerContextExtensions.cs" />

59
src/Umbraco.Web/WebApi/AngularJsonMediaTypeFormatter.cs Normal file
View File

@@ -0,0 +1,59 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Net.Http.Formatting;
using System.Text;
using System.Threading.Tasks;
namespace Umbraco.Web.WebApi
{
/// <summary>
/// This will format the JSON output for use with AngularJs's approach to JSON Vulnerability attacks
/// </summary>
/// <remarks>
/// See: http://docs.angularjs.org/api/ng.$http (Security considerations)
/// </remarks>
public class AngularJsonMediaTypeFormatter : JsonMediaTypeFormatter
{
/// <summary>
/// This will prepend the special chars to the stream output that angular will strip
/// </summary>
/// <param name="type"></param>
/// <param name="value"></param>
/// <param name="writeStream"></param>
/// <param name="content"></param>
/// <param name="transportContext"></param>
/// <returns></returns>
public async override Task WriteToStreamAsync(Type type, object value, Stream writeStream, HttpContent content, TransportContext transportContext)
{
var memStream = new MemoryStream();
//Let the base class do all the processing using our custom stream
await base.WriteToStreamAsync(type, value, memStream, content, transportContext);
memStream.Flush();
memStream.Position = 0;
//read the result string from the stream
string output;
using (var reader = new StreamReader(memStream))
{
output = reader.ReadToEnd();
}
//pre-pend the angular chars to the result
output = ")]}',\n" + output;
//write out the result to the original stream
using (var writer = new StreamWriter(writeStream))
{
writer.Write(output);
}
}
}
}

4
src/Umbraco.Web/WebApi/HttpControllerContextExtensions.cs
View File

@@ -96,12 +96,14 @@ namespace Umbraco.Web.WebApi
}
/// <summary>
/// Removes the xml formatter so it only outputs json
/// Removes the xml formatter so it only outputs angularized json (with the json vulnerability prefix added)
/// </summary>
/// <param name="controllerContext"></param>
internal static void EnsureJsonOutputOnly(this HttpControllerContext controllerContext)
{
controllerContext.Configuration.Formatters.Remove(controllerContext.Configuration.Formatters.XmlFormatter);
controllerContext.Configuration.Formatters.Remove(controllerContext.Configuration.Formatters.JsonFormatter);
controllerContext.Configuration.Formatters.Add(new AngularJsonMediaTypeFormatter());
}
}
}