1 files changed, 72 insertions, 13 deletions

diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/RemotePDFFetcher.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/RemotePDFFetcher.java
index 462c1bc8..696a3dc1 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/RemotePDFFetcher.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/RemotePDFFetcher.java
@@ -23,50 +23,109 @@
  ******************************************************************************/
 package at.gv.egiz.pdfas.web.helper;
 
+import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.net.URLConnection;
 
+import org.apache.commons.io.IOUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import at.gv.egiz.pdfas.common.utils.StreamUtils;
 import at.gv.egiz.pdfas.web.config.WebConfiguration;
 import at.gv.egiz.pdfas.web.exception.PdfAsWebException;
+import iaik.utils.URLDecoder;
 
 public class RemotePDFFetcher {
 
-	private static final Logger logger = LoggerFactory
-			.getLogger(RemotePDFFetcher.class);
+	private static final Logger logger = LoggerFactory.getLogger(RemotePDFFetcher.class);
+
+	public static String[] extractSensitiveInformationFromURL(String pdfURL) throws IOException {
+		if (pdfURL.contains("@")) {
+			String lowerURL = pdfURL.toLowerCase();
+			int startIndex = 0;
+			int atIndex = pdfURL.indexOf("@");
+
+			startIndex = lowerURL.indexOf("https://");
+
+			if (startIndex >= 0) {
+				startIndex = startIndex + "https://".length();
+			} else {
+				startIndex = lowerURL.indexOf("http://");
+				if (startIndex >= 0) {
+					startIndex = startIndex + "http://".length();
+				}
+			}
+
+			if (startIndex < 0) {
+				throw new MalformedURLException("Username/Password Part found, but no scheme found");
+			}
+
+			if (atIndex < 0) {
+				throw new MalformedURLException("@ Part found, but index not found");
+			}
+
+			String usernamePasswordPart = pdfURL.substring(startIndex, atIndex);
+			
+			pdfURL = pdfURL.substring(0, startIndex) + pdfURL.substring(atIndex + 1);
+			
+			logger.debug("Modified URL: {}", pdfURL);
+			
+			String[] usernamePassword = usernamePasswordPart.split(":");
+			
+			if(usernamePassword.length == 2) {
+				return new String[] { pdfURL, URLDecoder.decode(usernamePassword[0]), 
+						URLDecoder.decode(usernamePassword[1]) };
+			} else {
+				throw new MalformedURLException("Wrong or empty username/password part");
+			}
+		} else {
+			return new String[] { pdfURL };
+		}
+	}
 	
 	public static byte[] fetchPdfFile(String pdfURL) throws PdfAsWebException {
 		URL url;
+		String[] fetchInfos;
 		try {
-			url = new URL(pdfURL);
+			fetchInfos = extractSensitiveInformationFromURL(pdfURL);
+			url = new URL(fetchInfos[0]);
 		} catch (MalformedURLException e) {
 			logger.warn("Not a valid URL!", e);
 			throw new PdfAsWebException("Not a valid URL!", e);
+		} catch (IOException e) {
+			logger.warn("Not a valid URL!", e);
+			throw new PdfAsWebException("Not a valid URL!", e);
 		}
 		if (WebConfiguration.isProvidePdfURLinWhitelist(url.toExternalForm())) {
-			if (url.getProtocol().equals("http")
-					|| url.getProtocol().equals("https")) {
-
+			if (url.getProtocol().equals("http") || url.getProtocol().equals("https")) {
+				URLConnection uc = null;
+				InputStream is = null;
 				try {
-					InputStream is = url.openStream();
+					uc = url.openConnection();
+					
+					if(fetchInfos.length == 3) {
+					    String userpass = fetchInfos[1] + ":" + fetchInfos[2];
+					    String basicAuth = "Basic " + javax.xml.bind.DatatypeConverter.printBase64Binary(userpass.getBytes("UTF-8"));
+					    uc.setRequestProperty("Authorization", basicAuth);
+					}
+					
+					is = uc.getInputStream();
 					return StreamUtils.inputStreamToByteArray(is);
 				} catch (Exception e) {
 					logger.warn("Failed to fetch pdf document!", e);
-					throw new PdfAsWebException(
-							"Failed to fetch pdf document!", e);
+					throw new PdfAsWebException("Failed to fetch pdf document!", e);
+				} finally {
+					IOUtils.closeQuietly(is);
 				}
 			} else {
 				throw new PdfAsWebException(
-						"Failed to fetch pdf document protocol "
-								+ url.getProtocol() + " is not supported");
+						"Failed to fetch pdf document protocol " + url.getProtocol() + " is not supported");
 			}
 		} else {
-			throw new PdfAsWebException(
-					"Failed to fetch pdf document " + url.toExternalForm() + " is not allowed");
+			throw new PdfAsWebException("Failed to fetch pdf document " + url.toExternalForm() + " is not allowed");
 		}
 	}
 }