001/* ===========================================================
002 * JFreeChart : a free chart library for the Java(tm) platform
003 * ===========================================================
004 *
005 * (C) Copyright 2000-2014, by Object Refinery Limited and Contributors.
006 *
007 * Project Info:  http://www.jfree.org/jfreechart/index.html
008 *
009 * This library is free software; you can redistribute it and/or modify it
010 * under the terms of the GNU Lesser General Public License as published by
011 * the Free Software Foundation; either version 2.1 of the License, or
012 * (at your option) any later version.
013 *
014 * This library is distributed in the hope that it will be useful, but
015 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
016 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
017 * License for more details.
018 *
019 * You should have received a copy of the GNU Lesser General Public
020 * License along with this library; if not, write to the Free Software
021 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
022 * USA.
023 *
024 * [Oracle and Java are registered trademarks of Oracle and/or its affiliates. 
025 * Other names may be trademarks of their respective owners.]
026 *
027 * -----------------
028 * DisplayChart.java
029 * -----------------
030 * (C) Copyright 2002-2014, by Richard Atkinson and Contributors.
031 *
032 * Original Author:  Richard Atkinson;
033 * Contributor(s):   David Gilbert (for Object Refinery Limited);
034 *
035 * Changes
036 * -------
037 * 19-Aug-2002 : Version 1;
038 * 09-Mar-2005 : Added facility to serve up "one time" charts - see
039 *               ServletUtilities.java (DG);
040 * ------------- JFREECHART 1.0.x ---------------------------------------------
041 * 02-Feb-2007 : Removed author tags all over JFreeChart sources (DG);
042 * 03-Dec-2011 : Fixed path disclosure vulnerability - see bug 2879650 (DG);
043 * 
044 */
045
046package org.jfree.chart.servlet;
047
048import java.io.File;
049import java.io.IOException;
050
051import javax.servlet.ServletException;
052import javax.servlet.http.HttpServlet;
053import javax.servlet.http.HttpServletRequest;
054import javax.servlet.http.HttpServletResponse;
055import javax.servlet.http.HttpSession;
056
057/**
058 * Servlet used for streaming charts to the client browser from the temporary
059 * directory.  You need to add this servlet and mapping to your deployment
060 * descriptor (web.xml) in order to get it to work.  The syntax is as follows:
061 * 
062 * <xmp>
063 * <servlet>
064 *    <servlet-name>DisplayChart</servlet-name>
065 *    <servlet-class>org.jfree.chart.servlet.DisplayChart</servlet-class>
066 * </servlet>
067 * <servlet-mapping>
068 *     <servlet-name>DisplayChart</servlet-name>
069 *     <url-pattern>/servlet/DisplayChart</url-pattern>
070 * </servlet-mapping>
071 * </xmp>
072 */
073public class DisplayChart extends HttpServlet {
074
075    /**
076     * Default constructor.
077     */
078    public DisplayChart() {
079        super();
080    }
081
082    /**
083     * Init method.
084     *
085     * @throws ServletException never.
086     */
087    @Override
088    public void init() throws ServletException {
089        // nothing to do
090    }
091
092    /**
093     * Service method.
094     *
095     * @param request  the request.
096     * @param response  the response.
097     *
098     * @throws ServletException ??.
099     * @throws IOException ??.
100     */
101    @Override
102    public void service(HttpServletRequest request,
103                        HttpServletResponse response)
104            throws ServletException, IOException {
105
106        HttpSession session = request.getSession();
107        String filename = request.getParameter("filename");
108
109        if (filename == null) {
110            throw new ServletException("Parameter 'filename' must be supplied");
111        }
112
113        //  Replace ".." with ""
114        //  This is to prevent access to the rest of the file system
115        filename = ServletUtilities.searchReplace(filename, "..", "");
116
117        //  Check the file exists
118        File file = new File(System.getProperty("java.io.tmpdir"), filename);
119        if (!file.exists()) {
120            throw new ServletException(
121                    "Unable to display the chart with the filename '" 
122                    + filename + "'.");
123        }
124
125        //  Check that the graph being served was created by the current user
126        //  or that it begins with "public"
127        boolean isChartInUserList = false;
128        ChartDeleter chartDeleter = (ChartDeleter) session.getAttribute(
129                "JFreeChart_Deleter");
130        if (chartDeleter != null) {
131            isChartInUserList = chartDeleter.isChartAvailable(filename);
132        }
133
134        boolean isChartPublic = false;
135        if (filename.length() >= 6) {
136            if (filename.substring(0, 6).equals("public")) {
137                isChartPublic = true;
138            }
139        }
140
141        boolean isOneTimeChart = false;
142        if (filename.startsWith(ServletUtilities.getTempOneTimeFilePrefix())) {
143            isOneTimeChart = true;
144        }
145
146        if (isChartInUserList || isChartPublic || isOneTimeChart) {
147            //  Serve it up
148            ServletUtilities.sendTempFile(file, response);
149            if (isOneTimeChart) {
150                file.delete();
151            }
152        }
153        else {
154            throw new ServletException("Chart image not found");
155        }
156    }
157
158}