package com.atlassian.jira.web.servlet;

import com.atlassian.core.user.UserUtils;
import com.atlassian.jira.ComponentManager;
import com.atlassian.jira.config.properties.APKeys;
import com.atlassian.jira.config.properties.ApplicationProperties;
import com.atlassian.jira.exception.AttachmentNotFoundException;
import com.atlassian.jira.exception.DataAccessException;
import com.atlassian.jira.exception.PermissionException;
import com.atlassian.jira.issue.attachment.Attachment;
import com.atlassian.jira.util.AttachmentUtils;
import com.atlassian.jira.util.BrowserUtils;
import com.atlassian.jira.util.JiraUrlCodec;
import com.atlassian.jira.web.util.HostileAttachmentsHelper;
import com.atlassian.jira.web.util.Ie6MimeSniffer;
import com.opensymphony.user.EntityNotFoundException;
import com.opensymphony.user.User;
import java.io.File;
import java.io.IOException;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;

/* loaded from: input_file:com/atlassian/jira/web/servlet/ViewAttachmentServlet.class */
public class ViewAttachmentServlet extends AbstractViewFileServlet {
    private static final Logger log = Logger.getLogger(ViewAttachmentServlet.class);
    private HostileAttachmentsHelper attachmentHelper = new HostileAttachmentsHelper();
    private static final String CONTENT_DISPOSITION_ATTACHMENT = "attachment";
    private static final String CONTENT_DISPOSITION_INLINE = "inline";

    public void init(ServletConfig servletConfig) throws ServletException {
        super.init(servletConfig);
        try {
            this.attachmentHelper.loadConfiguration();
        } catch (IOException e) {
            log.error("Unable to load hostile attachments configuration file, falling back to default policy", e);
        }
    }

    @Override // com.atlassian.jira.web.servlet.AbstractViewFileServlet
    protected File getFileName(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws DataAccessException, PermissionException {
        Attachment attachment = getAttachment(attachmentPath(httpServletRequest));
        if (hasPermissionToViewAttachment(getUserName(), attachment)) {
            return AttachmentUtils.getAttachmentFile(attachment);
        }
        throw new PermissionException("You do not have permissions to view this issue");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Attachment getAttachment(String str) {
        int indexOf = str.indexOf(47, 1);
        String substring = str.substring(1, indexOf);
        try {
            Long l = new Long(substring);
            if (str.indexOf(47, indexOf + 1) != -1) {
                throw new AttachmentNotFoundException(substring);
            }
            return ComponentManager.getInstance().getAttachmentManager().getAttachment(l);
        } catch (NumberFormatException e) {
            throw new AttachmentNotFoundException(substring);
        }
    }

    @Override // com.atlassian.jira.web.servlet.AbstractViewFileServlet
    protected void setResponseHeaders(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AttachmentNotFoundException, IOException {
        Attachment attachment = getAttachment(attachmentPath(httpServletRequest));
        httpServletResponse.setContentType(attachment.getMimetype());
        httpServletResponse.setContentLength(attachment.getFilesize().intValue());
        String header = httpServletRequest.getHeader(BrowserUtils.USER_AGENT_HEADER);
        ApplicationProperties applicationProperties = ComponentManager.getInstance().getApplicationProperties();
        httpServletResponse.setHeader("Content-Disposition", getContentDisposition(attachment, header, applicationProperties) + "; filename*=" + applicationProperties.getEncoding() + "''" + JiraUrlCodec.encode(attachment.getFilename(), true) + ";");
    }

    String getContentDisposition(Attachment attachment, String str, ApplicationProperties applicationProperties) throws IOException {
        String mimeSniffingPolicy = getMimeSniffingPolicy(applicationProperties);
        boolean z = false;
        if (log.isDebugEnabled() && mimeSniffingPolicy.equalsIgnoreCase(APKeys.MIME_SNIFFING_OWNED)) {
            log.debug("Mime sniffing policy is insecure, attachment will always be displayed inline");
        }
        if (!mimeSniffingPolicy.equalsIgnoreCase(APKeys.MIME_SNIFFING_OWNED) && isExecutableContent(attachment.getFilename(), attachment.getMimetype())) {
            z = true;
            if (log.isDebugEnabled()) {
                log.debug("Attachment \"" + attachment.getFilename() + "\" (" + attachment.getMimetype() + ") presents as executable content, forcing download.");
            }
        } else if (mimeSniffingPolicy.equalsIgnoreCase(APKeys.MIME_SNIFFING_WORKAROUND) && BrowserUtils.isIe456Or7(str)) {
            z = new Ie6MimeSniffer().smellsLikeHtml(getLeadingFileBytes(attachment, Ie6MimeSniffer.MAX_BYTES_TO_SNIFF));
            if (z) {
                log.debug("Detected Internet Explorer and file contents would be sniffed as HTML, forcing download");
            }
        } else if (mimeSniffingPolicy.equalsIgnoreCase(APKeys.MIME_SNIFFING_PARANOID)) {
            z = true;
        }
        return z ? "attachment" : CONTENT_DISPOSITION_INLINE;
    }

    private String getMimeSniffingPolicy(ApplicationProperties applicationProperties) {
        String defaultBackedString = applicationProperties.getDefaultBackedString(APKeys.JIRA_OPTION_IE_MIME_SNIFFING);
        if (defaultBackedString == null) {
            defaultBackedString = APKeys.MIME_SNIFFING_WORKAROUND;
            log.warn("Missing MIME sniffing policy application property jira.attachment.download.mime.sniffing.workaround ! Defaulting to workaround");
        }
        if (!APKeys.MIME_SNIFFING_OWNED.equalsIgnoreCase(defaultBackedString) && !APKeys.MIME_SNIFFING_PARANOID.equalsIgnoreCase(defaultBackedString) && !APKeys.MIME_SNIFFING_WORKAROUND.equalsIgnoreCase(defaultBackedString)) {
            log.warn("MIME sniffing policy application property is invalid: " + defaultBackedString + " ! Defaulting to " + APKeys.MIME_SNIFFING_WORKAROUND);
            defaultBackedString = APKeys.MIME_SNIFFING_WORKAROUND;
        }
        return defaultBackedString;
    }

    /*  JADX ERROR: NullPointerException in pass: RegionMakerVisitor
        java.lang.NullPointerException
        */
    byte[] getLeadingFileBytes(com.atlassian.jira.issue.attachment.Attachment r5, int r6) throws java.io.IOException {
        /*
            r4 = this;
            r0 = r5
            java.io.File r0 = com.atlassian.jira.util.AttachmentUtils.getAttachmentFile(r0)
            r7 = r0
            r0 = 0
            r8 = r0
            java.io.FileInputStream r0 = new java.io.FileInputStream     // Catch: java.lang.Throwable -> L20
            r1 = r0
            r2 = r7
            r1.<init>(r2)     // Catch: java.lang.Throwable -> L20
            r8 = r0
            r0 = r8
            r1 = r6
            byte[] r0 = com.atlassian.jira.util.IOUtil.getLeadingBytes(r0, r1)     // Catch: java.lang.Throwable -> L20
            r9 = r0
            r0 = jsr -> L28
        L1d:
            r1 = r9
            return r1
        L20:
            r10 = move-exception
            r0 = jsr -> L28
        L25:
            r1 = r10
            throw r1
        L28:
            r11 = r0
            r0 = r8
            if (r0 == 0) goto L34
            r0 = r8
            r0.close()
        L34:
            ret r11
        */
        throw new UnsupportedOperationException("Method not decompiled: com.atlassian.jira.web.servlet.ViewAttachmentServlet.getLeadingFileBytes(com.atlassian.jira.issue.attachment.Attachment, int):byte[]");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean hasPermissionToViewAttachment(String str, Attachment attachment) throws DataAccessException {
        try {
            User user = UserUtils.getUser(str);
            return ComponentManager.getInstance().getPermissionManager().hasPermission(10, attachment.getIssueObject(), user);
        } catch (EntityNotFoundException e) {
            throw new DataAccessException((Throwable) e);
        }
    }

    boolean isExecutableContent(String str, String str2) {
        return this.attachmentHelper.isExecutableFileExtension(str) || this.attachmentHelper.isExecutableContentType(str2);
    }
}
