[rt-devel] malicious email vulnerabilty patch
Tony Aiuto
tony at ics.com
Wed Nov 6 16:24:41 EST 2002
I was doing some security tests against RT because I'm getting
paranoid in my old age. I noticed that it was easy to send HTML text
as attachements to RT. This can be a bad thing if you use IE to get
to RT. The two patches below are a quick hack to prevent the display of
an HTML attachement, depending on the setting of something in config.pm
Tarballs and zip files will be left alone, so they cause a save (rather
than display) when you press 'download'.
*** WebRT/html/Ticket/Attachment/dhandler 2002/11/06 21:02:00 1.1
--- WebRT/html/Ticket/Attachment/dhandler 2002/11/06 21:01:26
***************
*** 20,25 ****
--- 20,30 ----
}
my $content_type = $AttachmentObj->ContentType || 'text/plain';
+ if (! $RT::trustHTMLAttachements) {
+ if($content_type eq 'text/html') {
+ $content_type = 'text/plain';
+ }
+ }
SetContentType($content_type);
$m->out($AttachmentObj->Content);
$m->abort;
*** etc/config.pm.dist Mon Oct 7 23:25:22 2002
--- etc/config.pm Thu Oct 31 13:35:58 2002
***************
*** 405,410 ****
--- 408,419 ----
]
);
+
+
+ # if TrustHTMLAttachement is not defined, we will display them
+ # as text. This prevents malicious HTML and javascript from being
+ # sent in a request (although there is probably more to it than that)
+ $TrustHTMLAttachments = undef;
# }}}
Tony Aiuto
More information about the Rt-devel
mailing list