On Tue, Feb 02, 2010 at 11:22:56AM -0800, Jesse Vincent wrote: > On Tue 19.Jan'10 at 13:15:59 +0000, Dominic Hargreaves wrote: > > I've noticed that there is some logic to override the mime type of > > HTML attachments ($TrustHTMLAttachments config) to avoid javascript > > XSS attacks in RT. > > > > > > Now, let me start by saying that my practical knowledge of some of the > > more recent XSS issues is by no means comprehensive, but it struck me > > that as well as being confusing for the user, this protection is rather > > incomplete. There are number of other content types that could supply > > "active" content (application/javascript and friends for example - although > > it appears that my browser doesn't attempt to execute javascript delivered > > as application/javascript on its own). > > > > I'm led to believe that a better way of serving up as user supplied > > (untrusted) files to add a Content-Disposition: attachment header. > > How does http://github.com/bestpractical/rt/commit/dde5b99 look for this > to you?
Looks like a fine patch, and pleasantly simple. I look forward to seeing it in a release :) Cheers, Dominic. -- Dominic Hargreaves, Systems Development and Support Team Computing Services, University of Oxford
signature.asc
Description: Digital signature
_______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 & 23 Dublin, Ireland - Mar 15 & 16 Boston, MA, USA - April 5 & 6 Washington DC, USA - Oct 25 & 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com