[rt-users] Malicious MIME type handling

Jesse Vincent jesse at bestpractical.com
Tue Feb 2 14:22:56 EST 2010




On Tue 19.Jan'10 at 13:15:59 +0000, Dominic Hargreaves wrote:
> I've noticed that there is some logic to override the mime type of
> HTML attachments ($TrustHTMLAttachments config) to avoid javascript
> XSS attacks in RT.
> 
> 
> Now, let me start by saying that my practical knowledge of some of the
> more recent XSS issues is by no means comprehensive, but it struck me
> that as well as being confusing for the user, this protection is rather
> incomplete. There are number of other content types that could supply
> "active" content (application/javascript and friends for example - although
> it appears that my browser doesn't attempt to execute javascript delivered
> as application/javascript on its own).
> 
> I'm led to believe that a better way of serving up as user supplied
> (untrusted) files to add a Content-Disposition: attachment header.

How does http://github.com/bestpractical/rt/commit/dde5b99 look for this
to you?

Best,
Jesse

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100202/ecf8fc8e/attachment.sig>


More information about the rt-users mailing list