1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From: Markus Koschany <apo@debian.org>
Date: Sat, 27 Sep 2025 15:27:12 +0200
Subject: CVE-2024-47880
Origin: https://github.com/OpenRefine/OpenRefine/commit/fbf94fe3f001d6e2aa02e890930cf1affb0847b0
Bug-Debian: https://bugs.debian.org/1086041
---
.../google/refine/commands/project/ExportRowsCommand.java | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/main/src/com/google/refine/commands/project/ExportRowsCommand.java b/main/src/com/google/refine/commands/project/ExportRowsCommand.java
index 1912078..78d1f13 100644
--- a/main/src/com/google/refine/commands/project/ExportRowsCommand.java
+++ b/main/src/com/google/refine/commands/project/ExportRowsCommand.java
@@ -64,7 +64,8 @@ public class ExportRowsCommand extends Command {
private static final Logger logger = LoggerFactory.getLogger("ExportRowsCommand");
/**
- * This command uses POST but is left CSRF-unprotected as it does not incur a state change.
+ * This command uses POST but is left CSRF-unprotected as it does not incur a state change. TODO: add CSRF
+ * protection anyway, as it does not cost much and could still have prevented an XSS vulnerability
*/
@SuppressWarnings("unchecked")
@@ -96,11 +97,10 @@ public class ExportRowsCommand extends Command {
exporter = new CsvExporter('\t');
}
- String contentType = params.getProperty("contentType");
- if (contentType == null) {
- contentType = exporter.getContentType();
- }
- response.setHeader("Content-Type", contentType);
+
+ response.setHeader("Content-Type", exporter.getContentType());
+ // in case the content-type is text/html, to avoid XSS attacks
+ response.setHeader("Content-Security-Policy", "script-src 'none'; connect-src 'none'");
String preview = params.getProperty("preview");
if (!"true".equals(preview)) {
|
