From 9897aa376effc9335f137b83020fe02501be689c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ricardo=20Mart=C3=ADn?= <ricardomartinrodriguez@gmail.com>
Date: Wed, 8 Jun 2016 12:08:32 +0200
Subject: [PATCH] Fix Reflected XSS attack.

exploit: https://test.com/waveMakerService.download?method=echo&contents=%3Cscript%3Ealert%28%29%3C/script%3E&contentType=text/html&fileName[]=
---
 .../runtime/service/WaveMakerService.java     | 20 +++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/wavemaker/wavemaker-runtime/src/main/java/com/wavemaker/runtime/service/WaveMakerService.java b/wavemaker/wavemaker-runtime/src/main/java/com/wavemaker/runtime/service/WaveMakerService.java
index 47e183b54c..e76ed2fcb4 100644
--- a/wavemaker/wavemaker-runtime/src/main/java/com/wavemaker/runtime/service/WaveMakerService.java
+++ b/wavemaker/wavemaker-runtime/src/main/java/com/wavemaker/runtime/service/WaveMakerService.java
@@ -134,14 +134,18 @@ public String getSessionId() {
     }
 
     public DownloadResponse echo(String contents, String contentType, String fileName) {
-        InputStream is;
-        try {
-            is = new ByteArrayInputStream(contents.getBytes("UTF-8"));
-        } catch (UnsupportedEncodingException e) {
-            throw new WMRuntimeException(e);
-        }
-        return new DownloadResponse(is, contentType, fileName);
-    }
+        DownloadResponse rv = null;
+		if (fileName != null) {
+			InputStream is;
+			try {
+				is = new ByteArrayInputStream(contents.getBytes("UTF-8"));
+			} catch (final UnsupportedEncodingException e) {
+				throw new WMRuntimeException(e);
+			}
+			rv = new DownloadResponse(is, contentType, fileName);	
+		}
+		return rv;
+	}
 
     /*
      * Forward a request to a remote service