mahara-contributors team mailing list archive

[Aaron Wells <1470281@xxxxxxxxxxxxxxxxxx>]

So the idea here is that when Mahara serves a file attachment, we add a
response header to it that says "X-Content-Type-Options: nosniff". When
IE or Chrome sees this response header, it will *not* attempt to detect
the file's type by examining the file or filename. Instead, it will
trust the mimetype header that Mahara tells it.

The security idea here is, to quote OWASP, "This reduces exposure to
drive-by download attacks and sites serving user uploaded content that,
by clever naming, could be treated by MSIE as executable or dynamic HTML
files."

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1470281

Title:
  Use "nosniff" header to prevent potential XSS via untrusted files in
  IE

Status in Mahara ePortfolio:
  In Progress
Status in Mahara 1.10 series:
  Confirmed
Status in Mahara 1.9 series:
  Confirmed
Status in Mahara 15.04 series:
  Confirmed
Status in Mahara 15.10 series:
  In Progress

Bug description:
  Yuliya posted this one directly into Gerrit:
  https://reviews.mahara.org/#/c/4821/

  Use nosniff header to prevent potential XSS via untrusted files in IE

  See
   - https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
   - https://www.owasp.org/index.php/List_of_useful_HTTP_headers

  Solution is to add it to file serving code in places where we do
  forced download of files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1470281/+subscriptions