com.atlassian.jira.web.util
Class HostileAttachmentsHelper
java.lang.Object
com.atlassian.jira.web.util.HostileAttachmentsHelper
- All Implemented Interfaces:
- Serializable
public class HostileAttachmentsHelper
- extends Object
- implements Serializable
A tool for loading and encapsulating the local policy for which MIME Content Types and file extensions may contain
active executable client-side content and which therefore should be treated carefully to avoid XSS attacks via
uploading these files as attachments.
Browsers use Content-Type headers and file extensions to decide whether to attempt to execute a file in a client
context. Examples include javascript in html and ActionScript in .swf (Flash) binaries. Since these runtimes have
access to the client-side state of the browser, they represent a potential means to steal session cookie contents and
other XSS attacks.
- Since:
- v3.13
- See Also:
- Serialized Form
Field Summary |
static String |
DELIMITER_REGEX
File extensions and content types in the config file are parsed from a list of items delimited by this regex. |
Method Summary |
boolean |
isExecutableContentType(String contentType)
Determines if the given String is a MIME Content Type denoting client-executable active content such that if the
browser opens the file, its execution could have access to the browser DOM etc. |
boolean |
isExecutableFileExtension(String name)
Determines if the given String has an extension denoting a client-executable active content type such that if the
browser opens the file, its execution could have access to the browser DOM etc. |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
DELIMITER_REGEX
public static final String DELIMITER_REGEX
- File extensions and content types in the config file are parsed from a list of items delimited by this regex.
- See Also:
- Constant Field Values
HostileAttachmentsHelper
public HostileAttachmentsHelper()
isExecutableFileExtension
public boolean isExecutableFileExtension(String name)
- Determines if the given String has an extension denoting a client-executable active content type such that if the
browser opens the file, its execution could have access to the browser DOM etc. Examples include .html, .svg and
.swf. Note the check is case insensitive.
- Parameters:
name
- the file name.
- Returns:
- true only if the name has one of the configured extensions.
isExecutableContentType
public boolean isExecutableContentType(String contentType)
- Determines if the given String is a MIME Content Type denoting client-executable active content such that if the
browser opens the file, its execution could have access to the browser DOM etc. E.g. text/html Note the check is
case insensitive.
- Parameters:
contentType
- the MIME Content Type string.
- Returns:
- true only if the given contentType is one of the configured executable Content Types.
Copyright © 2002-2013 Atlassian. All Rights Reserved.