Java Reference
In-Depth Information
if (metadata.get(Metadata.CONTENT_TYPE).equalsIgnoreCase(
getContentType)) {
return true;
} else {
return false;
}
} catch (IOException e) {
// Handle error
return false;
}
}
}
The
AutoDetectParser
selects the best available parser on the basis of the content
type of the file to be parsed.
Applicability
Anarbitraryfileuploadvulnerabilitycouldresultinprivilegeescalationandtheexecution
of arbitrary code.
Bibliography
[Apache 2013]
Apache Tika: A Content Analysis Toolkit
6. Properly encode or escape output
Proper input sanitization can prevent insertion of malicious data into a subsystem such
as a database. However, different subsystems require different types of sanitization. For-
tunately, it is usually obvious which subsystems will eventually receive which inputs, and
consequently what type of sanitization is required.
Several subsystems exist for the purpose of outputting data. An HTML renderer is one
common subsystem for displaying output. Data sent to an output subsystem may appear
to originate from a trusted source. However, it is dangerous to assume that output sanitiz-
ation is unnecessary, because such data may indirectly originate from an
un
trusted source
and may include malicious content. Failure to properly sanitize data passed to an output
subsystem can allow several types of attacks. For example, HTML renderers are prone to
HTML injection and cross-site scripting (XSS) attacks [OWASP 2011]. Output sanitiza-
tion to prevent such attacks is as vital as input sanitization.
As with input validation, data should be normalized before sanitizing it for malicious
characters. Properly encode all output characters other than those known to be safe to
