View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0013193 | mantisbt | administration | public | 2011-07-31 06:02 | 2014-09-23 18:05 |
Reporter | rombert | Assigned To | rombert | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Target Version | 1.2.9 | Fixed in Version | 1.2.9 | ||
Summary | 0013193: Files served by plugins do not have a Content-Type header set | ||||
Description | Files served by plugins do not have a content type set, and are sometimes not correctly accepted by browsers. In a particular scenario IE 9 does not accept CSS files served by a plugin. | ||||
Tags | No tags attached. | ||||
Can we change this patch to: 1) Drop the new configuration option (especially in 1.2.x) 2) Use the following code (modified where necessary) from file_download.php:
(perhaps we split this into a new file_send($p_local_disk_file) function inside file_api.php) 3) Add warnings to the new file_send function as well as plugin_file_include function notifying developers of the security implications of these functions. Specifically, things like the ability to serve up user-supplied HTML or Javascript and have it rendered in-browser (XSS), serving up any file from the disk (including MantisBT config_inc.php file), etc. Happy to help. |
|
David, thanks for reviewing and commenting. My initial attempts to use fileinfo were not succesful, but I will extract and reuse the code from file_download.php . |
|
2) I've implemented the file_send function, but I'm back to square one with the JS and CSS files. They get detected incorrectly as jquery-ui.css: ASCII C program text, with very long lines the png files are detected correctly, but those never were problematic to start with. 3) plugin_file_include only serves plugin-supplied files, so the warning is not really neded. |
|
What would you think of having the possibility to override the content-type only for files detected as text/something? The man page of the file command does state that "File uses several algorithms that favor speed over accuracy, thus it can be misled about the contents of text files. The support for text files (primarily for programming languages) is simplistic, inefficient and requires recompilation to update." I don't think fileinfo will ever get css and javascript right. |
|
Thanks Robert, and sorry for the delayed response. I'd be happy to see an override for CSS/Javascipt, as long as the override applies only to files that were detected as text/plain (or whatever fileinfo is detecting them as) and have the correct file name extension. |
|
Note: I am still concerned about returning content that is rendered in the browser. With Javascript, this could introduce arbitrary Javascript into the "trusted domain", thus leading to XSS attacks. HTTP headers can be modified to forcefully tell the browser not to render content but instead treat it as a file download. This should really apply all the time, except in very specific, controlled and well thought out situations. For instance, text/plain is OK to show in the browser. Images are also likely to be OK, but there is no guarantee of this when you factor in the possibility of image rendering security bugs in browsers. I added CSRF protection for inline image display (from attached images) in MantisBT a while ago to solve this potential problem (and hotlinking too). |
|
David, to follow up on your comments:
Please let me know if you see any problems with the above approach. |
|
This is now fixed as outlined above for both text/ and image/ content types families. |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master-1.2.x 280a5d95 2011-07-30 23:03 Details Diff |
Fix 0013193 : Files served by plugins do not have a Content-Type header set |
Affected Issues 0013193 |
|
mod - config_defaults_inc.php | Diff File | ||
mod - core/plugin_api.php | Diff File | ||
MantisBT: master 837987db 2011-07-30 23:04 Details Diff |
Fix 0013193 : Files served by plugins do not have a Content-Type header set Conflicts: config_defaults_inc.php |
Affected Issues 0013193 |
|
mod - config_defaults_inc.php | Diff File | ||
mod - core/plugin_api.php | Diff File | ||
MantisBT: master-1.2.x ce3a276b 2011-12-06 10:28 Details Diff |
Allow overriding content-type for text/ and image/ files served by plugins Fixes 0013193: Files served by plugins do not have a Content-Type header set |
Affected Issues 0013193 |
|
mod - core/plugin_api.php | Diff File | ||
mod - core/utility_api.php | Diff File | ||
mod - file_download.php | Diff File | ||
MantisBT: master bfc04a4d 2011-12-06 10:36 Details Diff |
Allow overriding content-type for text/ and image/ files served by plugins Fixes 0013193: Files served by plugins do not have a Content-Type header set Conflicts: file_download.php |
Affected Issues 0013193 |
|
mod - core/plugin_api.php | Diff File | ||
mod - core/utility_api.php | Diff File | ||
mod - file_download.php | Diff File |