Package com.atlassian.confluence.impl.webapp.security.enforcer

Class ParameterEnforcer

java.lang.Object

com.atlassian.confluence.impl.webapp.security.enforcer.ParameterEnforcer

All Implemented Interfaces:

SecurityEnforcer

public final class ParameterEnforcer
extends Object
implements SecurityEnforcer

Enforces validations on request parameters such as absence of path traversal sequences.

Since:

8.8

Constructor Summary

Constructors

Constructor	Description
ParameterEnforcer()

Method Summary

Modifier and Type	Method	Description
void	enforce(ConfluenceUser user, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)	Enforcement action that should be taken when SecurityEnforcer.shouldEnforce(com.atlassian.confluence.user.ConfluenceUser, com.atlassian.confluence.dmz.struts.MappedAction, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) returns true.
boolean	shouldEnforce(ConfluenceUser user, MappedAction mappedAction, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)	Whilst Tomcat already decodes request parameters, there is potential for bad product code to re-decode them.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

ParameterEnforcer

public ParameterEnforcer()

Method Details

shouldEnforce

public boolean shouldEnforce(ConfluenceUser user,
 MappedAction mappedAction,
 javax.servlet.http.HttpServletRequest request,
 javax.servlet.http.HttpServletResponse response)

Whilst Tomcat already decodes request parameters, there is potential for bad product code to re-decode them. We thus preempt such re-decoding to ensure that no multi-encoded forbidden character sequences exist.

Specified by:

shouldEnforce in interface SecurityEnforcer

Returns:

true if the request contains forbidden request parameters

enforce

public void enforce(ConfluenceUser user,
 javax.servlet.http.HttpServletRequest request,
 javax.servlet.http.HttpServletResponse response)
             throws IOException

Description copied from interface: SecurityEnforcer

Enforcement action that should be taken when SecurityEnforcer.shouldEnforce(com.atlassian.confluence.user.ConfluenceUser, com.atlassian.confluence.dmz.struts.MappedAction, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) returns true.

Specified by:

enforce in interface SecurityEnforcer

Throws:

IOException