0
我正在嘗試解決「Header Manipulation」問題返回的問題,例如HP Fortify掃描此代碼。我不知道在上傳過程中文件是否已經過驗證(我想不是)。我試圖用RegEx來驗證文件名沒有成功。 任何人都可以幫助我?惠普Fortify在HTTP響應中的頭部操作問題[java]
b = uploadedFiles.getFilecontent().getBytes(1,
uploadedFiles.getFilesize().intValue());
if (b != null) {
response.reset();
String fileName = uploadedFiles.getFilename();
String header = "attachment; filename=\"" + fileName + "\"";
String contentType = uploadedFiles.getFilecontenttype();
response.setContentType(uploadedFiles.getFilecontenttype());
response.addHeader("Content-Transfer-Encoding", "Binary");
response.addHeader("Cache-Control", "must-revalidate, private");
response.setContentLength(b.length);
FileCopyUtils.copy(b, response.getOutputStream());
response.getOutputStream().flush();
response.getOutputStream().close();
}
我的嘗試:
String fileName = uploadedFiles.getFilename();
String regex = "[a-zA-Z._ ]*";
if (b != null && fileName.matches(regex)) {
response.reset();
// String fileName = uploadedFiles.getFilename();
String header = "attachment; filename=\"" + fileName + "\"";
String contentType = uploadedFiles.getFilecontenttype();
response.setContentType(uploadedFiles.getFilecontenttype());
response.addHeader("Content-Transfer-Encoding", "Binary");
response.addHeader("Cache-Control", "must-revalidate, private");
response.setHeader("Content-Disposition", header);
response.setContentLength(b.length);
FileCopyUtils.copy(b, response.getOutputStream());
response.getOutputStream().flush();
response.getOutputStream().close();
}