Class DefaultAttachmentSafeContentHeaderGuesser

    • Constructor Detail

      • DefaultAttachmentSafeContentHeaderGuesser

        public DefaultAttachmentSafeContentHeaderGuesser()
    • Method Detail

      • computeAttachmentHeaders

        public Map<String,​String> computeAttachmentHeaders​(String contentType,
                                                                 InputStream contents,
                                                                 String name,
                                                                 String userAgent,
                                                                 long contentLength,
                                                                 boolean hasXsrfToken,
                                                                 Map<String,​String[]> httpQueryParams)
                                                          throws IOException
        Description copied from interface: SafeContentHeaderGuesser
        Returns a map of headers with their values. One of these headers _must_ be 'Content-Type'.

        The purpose of this method is to guess a safe content type header (and associated content-disposition headers), so that it is difficult to perform xss using attachments.

        Specified by:
        computeAttachmentHeaders in interface SafeContentHeaderGuesser
        contentType - the existing content-type that the attachment has.
        contents - attachment contents
        name - the filename of the attachment
        userAgent - the user agent of the client requesting the attachment
        contentLength - the length of the attachment
        httpQueryParams - a map of the http query parameters
        a map of http headers to their values. It will contain at least one entry with key 'Content-Type'.
        IOException - if the attachments contents could not be read
      • setContentTypeAndDispositionHeaderBlacklist

        public void setContentTypeAndDispositionHeaderBlacklist​(com.atlassian.http.mime.ContentDispositionHeaderGuesser contentTypeAndDispositionHeaderBlacklist)