[rt-users] Malicious MIME type handling
Dominic Hargreaves
dominic.hargreaves at oucs.ox.ac.uk
Wed Feb 3 07:30:11 EST 2010
On Tue, Feb 02, 2010 at 11:22:56AM -0800, Jesse Vincent wrote:
> On Tue 19.Jan'10 at 13:15:59 +0000, Dominic Hargreaves wrote:
> > I've noticed that there is some logic to override the mime type of
> > HTML attachments ($TrustHTMLAttachments config) to avoid javascript
> > XSS attacks in RT.
> >
> >
> > Now, let me start by saying that my practical knowledge of some of the
> > more recent XSS issues is by no means comprehensive, but it struck me
> > that as well as being confusing for the user, this protection is rather
> > incomplete. There are number of other content types that could supply
> > "active" content (application/javascript and friends for example - although
> > it appears that my browser doesn't attempt to execute javascript delivered
> > as application/javascript on its own).
> >
> > I'm led to believe that a better way of serving up as user supplied
> > (untrusted) files to add a Content-Disposition: attachment header.
>
> How does http://github.com/bestpractical/rt/commit/dde5b99 look for this
> to you?
Looks like a fine patch, and pleasantly simple. I look forward to
seeing it in a release :)
Cheers,
Dominic.
--
Dominic Hargreaves, Systems Development and Support Team
Computing Services, University of Oxford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100203/682f3168/attachment.sig>
More information about the rt-users
mailing list