Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.atlassian.jira.web.util
Class HostileAttachmentsHelper

java.lang.Object
  extended by com.atlassian.jira.web.util.HostileAttachmentsHelper
All Implemented Interfaces:
Serializable
public class HostileAttachmentsHelper
extends Object
implements Serializable

A tool for loading and encapsulating the local policy for which MIME Content Types and file extensions may contain active executable client-side content and which therefore should be treated carefully to avoid XSS attacks via uploading these files as attachments. Browsers use Content-Type headers and file extensions to decide whether to attempt to execute a file in a client context. Examples include javascript in html and ActionScript in .swf (Flash) binaries. Since these runtimes have access to the client-side state of the browser, they represent a potential means to steal session cookie contents and other XSS attacks.

Since:
v3.13
See Also:
Serialized Form

Field Summary
static String DELIMITER_REGEX
          File extensions and content types in the config file are parsed from a list of items delimited by this regex.
 
Constructor Summary
HostileAttachmentsHelper()
           
 
Method Summary
 boolean isExecutableContentType(String contentType)
          Determines if the given String is a MIME Content Type denoting client-executable active content such that if the browser opens the file, its execution could have access to the browser DOM etc.
 boolean isExecutableFileExtension(String name)
          Determines if the given String has an extension denoting a client-executable active content type such that if the browser opens the file, its execution could have access to the browser DOM etc.
 void loadConfiguration()
          Loads the configuration of what are executable file extensions and content types from the default configuration file, CONFIG_FILE.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

DELIMITER_REGEX

public static final String DELIMITER_REGEX
File extensions and content types in the config file are parsed from a list of items delimited by this regex.

See Also:
Constant Field Values
Constructor Detail

HostileAttachmentsHelper

public HostileAttachmentsHelper()
Method Detail

loadConfiguration

public void loadConfiguration()
                       throws IOException
Loads the configuration of what are executable file extensions and content types from the default configuration file, CONFIG_FILE.

Throws:
IOException - if there is a problem loading from the default configuration file.

isExecutableFileExtension

public boolean isExecutableFileExtension(String name)
Determines if the given String has an extension denoting a client-executable active content type such that if the browser opens the file, its execution could have access to the browser DOM etc. Examples include .html, .svg and .swf. Note the check is case insensitive.

Parameters:
name - the file name.
Returns:
true only if the name has one of the configured extensions.

isExecutableContentType

public boolean isExecutableContentType(String contentType)
Determines if the given String is a MIME Content Type denoting client-executable active content such that if the browser opens the file, its execution could have access to the browser DOM etc. E.g. text/html Note the check is case insensitive.

Parameters:
contentType - the MIME Content Type string.
Returns:
true only if the given contentType is one of the configured executable Content Types.
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2002-2009 Atlassian. All Rights Reserved.