← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #27438

[Bug 1470281] [NEW] Use "nosniff" header to prevent potential XSS via untrusted files in IE

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Public security bug reported:

Yuliya posted this one directly into Gerrit:
https://reviews.mahara.org/#/c/4821/

Use nosniff header to prevent potential XSS via untrusted files in IE

See
 - https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
 - https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Solution is to add it to file serving code in places where we do forced
download of files.

** Affects: mahara
     Importance: Low
         Status: In Progress

** Affects: mahara/1.10
     Importance: Low
         Status: Confirmed

** Affects: mahara/1.9
     Importance: Low
         Status: Confirmed

** Affects: mahara/15.04
     Importance: Low
         Status: Confirmed

** Affects: mahara/15.10
     Importance: Low
         Status: In Progress

** Also affects: mahara/1.10
   Importance: Undecided
       Status: New

** Also affects: mahara/15.04
   Importance: Undecided
       Status: New

** Also affects: mahara/15.10
   Importance: Undecided
       Status: In Progress

** Also affects: mahara/1.9
   Importance: Undecided
       Status: New

** Changed in: mahara/15.10
   Importance: Undecided => Low

** Changed in: mahara/15.04
   Importance: Undecided => Low

** Changed in: mahara/1.9
   Importance: Undecided => Low

** Changed in: mahara/1.10
   Importance: Undecided => Low

** Changed in: mahara/15.04
       Status: New => Confirmed

** Changed in: mahara/1.9
       Status: New => Confirmed

** Changed in: mahara/1.10
       Status: New => Confirmed

** Changed in: mahara/15.04
    Milestone: None => 15.04.2

** Changed in: mahara/1.9
    Milestone: None => 1.9.7

** Changed in: mahara/1.10
    Milestone: None => 1.10.5

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1470281

Title:
  Use "nosniff" header to prevent potential XSS via untrusted files in
  IE

Status in Mahara ePortfolio:
  In Progress
Status in Mahara 1.10 series:
  Confirmed
Status in Mahara 1.9 series:
  Confirmed
Status in Mahara 15.04 series:
  Confirmed
Status in Mahara 15.10 series:
  In Progress

Bug description:
  Yuliya posted this one directly into Gerrit:
  https://reviews.mahara.org/#/c/4821/

  Use nosniff header to prevent potential XSS via untrusted files in IE

  See
   - https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
   - https://www.owasp.org/index.php/List_of_useful_HTTP_headers

  Solution is to add it to file serving code in places where we do
  forced download of files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1470281/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next