1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.mycore.frontend.export;
20
21 import org.apache.logging.log4j.LogManager;
22 import org.apache.logging.log4j.Logger;
23 import org.mycore.common.content.MCRContent;
24 import org.mycore.common.content.transformer.MCRContentTransformer;
25 import org.mycore.frontend.basket.MCRBasket;
26 import org.mycore.frontend.basket.MCRBasketManager;
27 import org.mycore.frontend.servlets.MCRServlet;
28 import org.mycore.frontend.servlets.MCRServletJob;
29
30 import jakarta.servlet.http.HttpServletRequest;
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58 public class MCRExportServlet extends MCRServlet {
59
60 private static final Logger LOGGER = LogManager.getLogger(MCRExportServlet.class);
61
62
63 private static final String[] FORBIDDEN_URIS = { "file", "webapp", "resource" };
64
65 @Override
66 public void doGetPost(MCRServletJob job) throws Exception {
67 MCRExportCollection collection = createCollection(job.getRequest());
68 fillCollection(job.getRequest(), collection);
69 MCRContent content2export = collection.getContent();
70
71 String filename = getProperty(job.getRequest(), "filename");
72 if (filename == null) {
73 filename = "export-" + System.currentTimeMillis();
74 }
75 job.getResponse().setHeader("Content-Disposition", "inline;filename=\"" + filename + "\"");
76
77 String transformerID = job.getRequest().getParameter("transformer");
78 job.getRequest().setAttribute("XSL.Transformer", transformerID);
79 getLayoutService().doLayout(job.getRequest(), job.getResponse(), content2export);
80 }
81
82
83
84
85 private void fillCollection(HttpServletRequest req, MCRExportCollection collection) throws Exception {
86 String basketID = req.getParameter("basket");
87 if (basketID != null) {
88 MCRBasket basket = MCRBasketManager.getOrCreateBasketInSession(basketID);
89 collection.add(basket);
90 LOGGER.info("exporting basket {} via {}", basketID, req.getParameter("transformer"));
91 }
92
93 if (req.getParameter("uri") != null) {
94 for (String uri : req.getParameterValues("uri")) {
95 if (isAllowed(uri)) {
96 collection.add(uri);
97 LOGGER.info("exporting {} via {}", uri, req.getParameter("transformer"));
98 }
99 }
100 }
101 }
102
103 private boolean isAllowed(String uri) {
104 for (String prefix : FORBIDDEN_URIS) {
105 if (uri.startsWith(prefix)) {
106 LOGGER.warn("URI {} is not allowed for security reasons", uri);
107 return false;
108 }
109 }
110 return true;
111 }
112
113
114
115
116 private MCRExportCollection createCollection(HttpServletRequest req) {
117 MCRExportCollection collection = new MCRExportCollection();
118 String root = req.getParameter("root");
119 String ns = req.getParameter("ns");
120 if (!((root == null) || root.isEmpty())) {
121 collection.setRootElement(root, ns);
122 }
123 return collection;
124 }
125 }