文件下载不使用ESAPI库
我正在使用 ESAPI 下载文件(由于安全原因,仅接受 ESAPI)。所以请找到我的下面的代码。
response.setContentType("application/msexcel");
ESAPI.httpUtilities().addHeader(response, "Content-Disposition", "attachment; filename=testfile.xls");
当我单击下载时,下载的文件带有正确的内容,但文件扩展名和文件名不可接受。
示例:当我单击以下网址时:http://localhost:8080/searchTest
预期 根据上述情况的文件名:testfile .xls
下载时的实际文件名是:searchTest
(其中“searchTest”是网址)
有人可以帮助我如何在 ESAPI 中传递文件名和扩展名吗?
预先感谢,
哈利
I am using the ESAPI for download the file (due to security reason only ESAPI is accepted). so please find my below code.
response.setContentType("application/msexcel");
ESAPI.httpUtilities().addHeader(response, "Content-Disposition", "attachment; filename=testfile.xls");
When I click on download, the downloaded file is coming with proper content but the file extension and file name is not acceptable.
Example : When I click on the below url : http://localhost:8080/searchTest
Expected file name as per the above case : testfile.xls
Actual file name on download is : searchTest
(where the 'searchTest' is the url)
Could someone help me on how to pass the filename and extension in ESAPI ?
Thanks in advance,
Harry
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我还没有真正看过这么多,它可能没有任何区别(至少如果您使用 Microsoft 浏览器来测试这一点),但我正确的 HTTP 响应标头值
Content-Type用于下载 .xls Excel 文件的是“application/vnd.ms-excel”,而不是“application/msexcel”。所以,我会先尝试一下,以防万一。 [有关 .xlsx 格式的更多详细信息,请参阅 https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types。]其次,您能否确认确实是 ESAPI 导致了此问题通过更改代码来尝试不使用 ESAPI;例如,
并重新测试它。 (从技术上讲,由于
Content-Disposition标头中没有受污染的输入,因此对于这种特殊情况,您确实不需要 ESAPI,尽管如果您接受用户提供的文件名。)如果没有 ESAPI 仍然无法工作,您至少知道不是 ESAPI 造成的,这是值得的。如果是 ESAPI 导致的,同样如此。最后,我要检查的另一件事是确保您没有多个
Content-Type或Content-Disposition响应标头返回到用户的浏览器。您可以通过拦截代理(例如 OWASP ZAP 或 Portswigger 的 Burp Suite)或使用浏览器的内置开发工具(例如 Chrome 中的 F12;不确定 Firefox 的快捷方式是什么)来检查这一点。如果存在多个具有不同值的 Content-Type 标头或 Content-Disposition 标头,也可能会导致您所观察到的情况。无论如何,请告诉我们您的发现,我们可以尝试为您提供进一步的帮助。
I haven't really looked at this much and it probably doesn't make any difference (at least if you are using a Microsoft browser for testing this), but I the correct HTTP response header value
Content-Typefor downloading .xls Excel files is "application/vnd.ms-excel" and not "application/msexcel". So, I would try that first, just in case. [See https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types for further details about .xlsx format.]Secondly, can you confirm that it indeed is ESAPI that is causing this by changing you code to try it without ESAPI; e.g.,
and retest it. (And technically, since there is no tainted input in your
Content-Dispositionheader, you really don't need ESAPI for this particular case, although that would change if you were to accept a filename provided by the user.) If it still doesn't work without ESAPI, you at least know that it's not ESAPI that is causing it, and that's worth something. Likewise if it is ESAPI causing it.Lastly, the other thing I would check would be to ensure that you don't have multiple
Content-TypeorContent-Dispositionresponse headers going back to the user's browser. You can examine that from an intercepting proxy such as OWASP ZAP or Portswigger's Burp Suite or by using your browser's built-in development tools (e.g., F12 in Chrome; not sure what the shortcut is for Firefox). If there are multiple Content-Type headers or Content-Disposition headers that have different values, that could also be causing what you are observing.Anyhow, let us know what you find out and we can try helping you further.