Re: [rt-users] Malicious MIME type handling
On Tue, Feb 02, 2010 at 11:22:56AM -0800, Jesse Vincent wrote: On Tue 19.Jan'10 at 13:15:59 +, Dominic Hargreaves wrote: I've noticed that there is some logic to override the mime type of HTML attachments ($TrustHTMLAttachments config) to avoid javascript XSS attacks in RT. Now, let me start by saying that my practical knowledge of some of the more recent XSS issues is by no means comprehensive, but it struck me that as well as being confusing for the user, this protection is rather incomplete. There are number of other content types that could supply active content (application/javascript and friends for example - although it appears that my browser doesn't attempt to execute javascript delivered as application/javascript on its own). I'm led to believe that a better way of serving up as user supplied (untrusted) files to add a Content-Disposition: attachment header. How does http://github.com/bestpractical/rt/commit/dde5b99 look for this to you? Looks like a fine patch, and pleasantly simple. I look forward to seeing it in a release :) Cheers, Dominic. -- Dominic Hargreaves, Systems Development and Support Team Computing Services, University of Oxford signature.asc Description: Digital signature ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] Malicious MIME type handling
On Tue 19.Jan'10 at 13:15:59 +, Dominic Hargreaves wrote: I've noticed that there is some logic to override the mime type of HTML attachments ($TrustHTMLAttachments config) to avoid javascript XSS attacks in RT. Now, let me start by saying that my practical knowledge of some of the more recent XSS issues is by no means comprehensive, but it struck me that as well as being confusing for the user, this protection is rather incomplete. There are number of other content types that could supply active content (application/javascript and friends for example - although it appears that my browser doesn't attempt to execute javascript delivered as application/javascript on its own). I'm led to believe that a better way of serving up as user supplied (untrusted) files to add a Content-Disposition: attachment header. How does http://github.com/bestpractical/rt/commit/dde5b99 look for this to you? Best, Jesse signature.asc Description: Digital signature ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] Malicious MIME type handling
On Tue, Jan 19, 2010 at 01:15:59PM +, Dominic Hargreaves wrote: I've noticed that there is some logic to override the mime type of HTML attachments ($TrustHTMLAttachments config) to avoid javascript XSS attacks in RT. Sorry, I've been on Jury Duty since this came in and there was a small internal miscommunication about who was going to get a reply out to you. You're on the money. When this code path was put together, there were far fewer MIME types that we needed to worry about. We actually got a report about this just a couple weeks ago and should have an improvement out in the next version of RT 3.8. -Jesse ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com