com.atlassian.jira.web.util
Class Ie6MimeSniffer

java.lang.Object
  extended by com.atlassian.jira.web.util.Ie6MimeSniffer

public class Ie6MimeSniffer
extends Object

Emulates Internet Explorer MIME type sniffing behaviour to predict the MIME override that IE will do to files. Of interest are those files which will be detected as HTML and then loaded as such (regardless of MIME type headers sent by the server) resulting in a potential XSS attack vector in the case of files originating from other end users (like attachments). See http://jira.atlassian.com/browse/JRA-10862

Note that this implementation is based on apparent IE behaviour and research but as there is no spec, is an approximation only. Strict security measures should not rely on this emulation since IE will reliably force users to decide when files are accompanied with a "Content-Disposition" header of "attachment".

Since:
v3.13

Field Summary
static int MAX_BYTES_TO_SNIFF
          IE only sniffs the first 256 bytes
 
Constructor Summary
Ie6MimeSniffer()
          Creates a MIME sniffer which replicates behaviour of Internet Explorer 6 and above.
Ie6MimeSniffer(int maximumBytesToCheck)
          Creates a MIME sniffer which replicates behaviour of Internet Explorer 6 and above.
 
Method Summary
 boolean smellsLikeHtml(byte[] fileContents)
          Returns true if any known version of Internet Explorer will, when given a file which begins with the given bytes, detect an HTML mime type based on its contents.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

MAX_BYTES_TO_SNIFF

public static final int MAX_BYTES_TO_SNIFF
IE only sniffs the first 256 bytes

See Also:
Constant Field Values
Constructor Detail

Ie6MimeSniffer

public Ie6MimeSniffer()
Creates a MIME sniffer which replicates behaviour of Internet Explorer 6 and above. Note that this constructor will cause the sniffer to check the first MAX_BYTES_TO_SNIFF bytes only which seems to be what IE does.


Ie6MimeSniffer

public Ie6MimeSniffer(int maximumBytesToCheck)
Creates a MIME sniffer which replicates behaviour of Internet Explorer 6 and above. Note that specifying all bytes as a maximum to check will temporarily require a duplicate of the bytes in memory when performing the check.

Parameters:
maximumBytesToCheck - the number of bytes to sniff use -1 to indicate all bytes.
Method Detail

smellsLikeHtml

public boolean smellsLikeHtml(byte[] fileContents)
Returns true if any known version of Internet Explorer will, when given a file which begins with the given bytes, detect an HTML mime type based on its contents. Note that later versions are smarter and will not detect certain files as being html but in IE 7 this appears to depend on the given file extension and so cannot be trusted.

Parameters:
fileContents - the bytes of the file to sniff, only the configured number of bytes is sniffed.
Returns:
true only if any of the configured versions of IE would sniff the MIME type as text/html.


Copyright © 2002-2011 Atlassian. All Rights Reserved.