[jira] [Commented] (TIKA-3466) Cannot detect mimetype of xhtml file when script is first node instead of html

Wed, 07 Jul 2021 11:13:07 -0700 


    [ 
https://issues.apache.org/jira/browse/TIKA-3466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17376760#comment-17376760
 ] 

Packiaraj Sakkanan commented on TIKA-3466:
------------------------------------------

The problem here is that this sample file is rendered in browser as XHTML;. 
i.e., script is executed in browser successfully. I tested in chrome & FF. (Not 
sure if its expected or bug in browser)
 
 This sort of file can be used to work around upload/download file type 
validation put in the application; since ‘application/xml' is valid type for 
many applications, tika based file type validation cannot block this type of 
malicious content.
 So, security is the concern / justification 
 
 If matching with different types of nodes is an issue, is it possible to check 
the namespace alone to find if the document is xhtml or xml  ( Perhaps xhtml 
check criteria should match with browser criteria for security reason)  

> Cannot detect mimetype of xhtml file when script is first node instead of html
> ------------------------------------------------------------------------------
>
>                 Key: TIKA-3466
>                 URL: https://issues.apache.org/jira/browse/TIKA-3466
>             Project: Tika
>          Issue Type: Bug
>          Components: detector, mime
>    Affects Versions: 1.27
>            Reporter: Packiaraj Sakkanan
>            Priority: Major
>
> mime-type of below xhtml file deduced as 'application/xml' instead of 
> 'application/xhtml+xml' 
> {code:java}
> <?xml version="1.0" encoding="UTF-8" ?>
> <script xmlns="http://www.w3.org/1999/xhtml";><![CDATA[
>   alert(555);
>   ]]></script>
> {code}
>  
>  one possible solution is to add 'script' in tika-mimetypes.xml, like 
> {code:java}
> <mime-type type="application/xhtml+xml">
>   <!-- The magic priority for xhtml+xml needs to be lower than that of -->
>   <!--  files that contain HTML within them, e.g. mime emails -->
>   <magic priority="40">
>     <match value="&lt;html xmlns=" type="string" offset="0:8192"/>
>   </magic>
>   <root-XML namespaceURI="http://www.w3.org/1999/xhtml"; localName="html"/>
>   <root-XML namespaceURI="http://www.w3.org/1999/xhtml"; localName="script"/>
>   <glob pattern="*.xhtml"/>
>   <glob pattern="*.xht"/>
> </mime-type>
> {code}
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to