Package com.atlassian.confluence.servlet.download

Class DefaultAttachmentSafeContentHeaderGuesser

java.lang.Object

com.atlassian.confluence.servlet.download.DefaultAttachmentSafeContentHeaderGuesser

All Implemented Interfaces:

SafeContentHeaderGuesser

public class DefaultAttachmentSafeContentHeaderGuesser
extends Object
implements SafeContentHeaderGuesser

Constructor Summary

Constructors

Constructor	Description
DefaultAttachmentSafeContentHeaderGuesser()

Method Summary

Modifier and Type	Method	Description
Map<String,String>	computeAttachmentHeaders(String contentType, InputStream contents, String name, String userAgent, long contentLength, boolean hasXsrfToken, Map<String,String[]> httpQueryParams)	Returns a map of headers with their values.
void	setContentTypeAndDispositionHeaderBlacklist(com.atlassian.http.mime.ContentDispositionHeaderGuesser contentTypeAndDispositionHeaderBlacklist)
void	setMimeTypeTranslator(AttachmentMimeTypeTranslator mimeTypeTranslator)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DefaultAttachmentSafeContentHeaderGuesser

public DefaultAttachmentSafeContentHeaderGuesser()

Method Detail

computeAttachmentHeaders

public Map<String,String> computeAttachmentHeaders(String contentType,
                                                         InputStream contents,
                                                         String name,
                                                         String userAgent,
                                                         long contentLength,
                                                         boolean hasXsrfToken,
                                                         Map<String,String[]> httpQueryParams)
                                                  throws IOException

Description copied from interface: SafeContentHeaderGuesser

Returns a map of headers with their values. One of these headers _must_ be 'Content-Type'.

The purpose of this method is to guess a safe content type header (and associated content-disposition headers), so that it is difficult to perform xss using attachments.

Specified by:

computeAttachmentHeaders in interface SafeContentHeaderGuesser

Parameters:

contentType - the existing content-type that the attachment has.

contents - attachment contents

name - the filename of the attachment

userAgent - the user agent of the client requesting the attachment

contentLength - the length of the attachment

httpQueryParams - a map of the http query parameters

Returns:

a map of http headers to their values. It will contain at least one entry with key 'Content-Type'.

Throws:

IOException - if the attachments contents could not be read

setMimeTypeTranslator

public void setMimeTypeTranslator(AttachmentMimeTypeTranslator mimeTypeTranslator)

setContentTypeAndDispositionHeaderBlacklist

public void setContentTypeAndDispositionHeaderBlacklist(com.atlassian.http.mime.ContentDispositionHeaderGuesser contentTypeAndDispositionHeaderBlacklist)