|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object com.atlassian.jira.web.util.HostileAttachmentsHelper
public class HostileAttachmentsHelper
A tool for loading and encapsulating the local policy for which MIME Content Types and file extensions may contain active executable client-side content and which therefore should be treated carefully to avoid XSS attacks via uploading these files as attachments. Browsers use Content-Type headers and file extensions to decide whether to attempt to execute a file in a client context. Examples include javascript in html and ActionScript in .swf (Flash) binaries. Since these runtimes have access to the client-side state of the browser, they represent a potential means to steal session cookie contents and other XSS attacks.
Field Summary | |
---|---|
static String |
DELIMITER_REGEX
File extensions and content types in the config file are parsed from a list of items delimited by this regex. |
Constructor Summary | |
---|---|
HostileAttachmentsHelper()
|
Method Summary | |
---|---|
boolean |
isExecutableContentType(String contentType)
Determines if the given String is a MIME Content Type denoting client-executable active content such that if the browser opens the file, its execution could have access to the browser DOM etc. |
boolean |
isExecutableFileExtension(String name)
Determines if the given String has an extension denoting a client-executable active content type such that if the browser opens the file, its execution could have access to the browser DOM etc. |
void |
loadConfiguration()
Loads the configuration of what are executable file extensions and content types from the default configuration file, CONFIG_FILE . |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final String DELIMITER_REGEX
Constructor Detail |
---|
public HostileAttachmentsHelper()
Method Detail |
---|
public void loadConfiguration() throws IOException
CONFIG_FILE
.
IOException
- if there is a problem loading from the default configuration file.public boolean isExecutableFileExtension(String name)
name
- the file name.
public boolean isExecutableContentType(String contentType)
contentType
- the MIME Content Type string.
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |