mahara-contributors team mailing list archive

Thread
Date

[Bug 1470281] Re: Use "nosniff" header to prevent potential XSS via untrusted files in IE

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1470281@xxxxxxxxxxxxxxxxxx>
Date: Fri, 23 Oct 2015 03:28:33 -0000
Reply-to: Bug 1470281 <1470281@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara/15.10
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1470281

Title:
  Use "nosniff" header to prevent potential XSS via untrusted files in
  IE

Status in Mahara:
  Fix Released
Status in Mahara 1.10 series:
  Fix Released
Status in Mahara 1.9 series:
  Fix Released
Status in Mahara 15.04 series:
  Fix Released
Status in Mahara 15.10 series:
  Fix Released

Bug description:
  Yuliya posted this one directly into Gerrit:
  https://reviews.mahara.org/#/c/4821/

  Use nosniff header to prevent potential XSS via untrusted files in IE

  See
   - https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
   - https://www.owasp.org/index.php/List_of_useful_HTTP_headers

  Solution is to add it to file serving code in places where we do
  forced download of files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1470281/+subscriptions

References

[Bug 1470281] [NEW] Use "nosniff" header to prevent potential XSS via untrusted files in IE
From: Aaron Wells, 2015-07-01