mahara-contributors team mailing list archive

Thread
Date

[Bug 1470281] A patch has been submitted for review

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1470281@xxxxxxxxxxxxxxxxxx>
Date: Fri, 10 Jul 2015 00:11:36 -0000
Reply-to: Bug 1470281 <1470281@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/4950

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1470281

Title:
  Use "nosniff" header to prevent potential XSS via untrusted files in
  IE

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Committed
Status in Mahara 1.9 series:
  Fix Committed
Status in Mahara 15.04 series:
  In Progress
Status in Mahara 15.10 series:
  Fix Committed

Bug description:
  Yuliya posted this one directly into Gerrit:
  https://reviews.mahara.org/#/c/4821/

  Use nosniff header to prevent potential XSS via untrusted files in IE

  See
   - https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
   - https://www.owasp.org/index.php/List_of_useful_HTTP_headers

  Solution is to add it to file serving code in places where we do
  forced download of files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1470281/+subscriptions

References

[Bug 1470281] [NEW] Use "nosniff" header to prevent potential XSS via untrusted files in IE
From: Aaron Wells, 2015-07-01