Anonymous | Login | Signup for a new account | 12-17-2024 10:53 PST |
Main | My View | View Issues | Change Log | Docs |
Viewing Issue Advanced Details [ Jump to Notes ] | [ View Simple ] [ Issue History ] [ Print ] | ||||||||
ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
0006237 | [Resin] | feature | always | 05-07-19 08:57 | 06-26-19 13:38 | ||||
Reporter | stbu | View Status | public | ||||||
Assigned To | ferg | ||||||||
Priority | normal | Resolution | fixed | Platform | |||||
Status | closed | OS | |||||||
Projection | none | OS Version | |||||||
ETA | none | Fixed in Version | 4.0.63 | Product Version | 4.0.61 | ||||
Product Build | |||||||||
Summary | 0006237: Feature-Request: Add a configurable default-value for Content-Type to FileServlet | ||||||||
Description |
TL;DR: A resin configuration option to improve Security regarding Cross Site Scripting with a default MIME-Type. Current Behavior: Making an HTTP request to a file which is handled by FileServlet with an file extension where no mime-type mapping is defined -> the HTTP Response will *not* have a Content-Type Header. Desired Behavior: Define a default mime type value like "text/plain" in resin.xml Making an HTTP request to a file which is handled by FileServlet with an file extension where no mime-type mapping is defined -> the default-mime-type value is used in the HTTP Response Header Content-Type. Background: Unfortunately Browsers like Firefox or Edge will render a file as HTML if it contains HTML and does *not* have a Content-Type header advising different. See also: https://www.youtube.com/watch?v=dBJt3eR8-bg [^] (12 Minute Video, titled "Fun with Apache and MIME types - Hanno Böck") Note: W3C Standard Authoritative Metadata says: "Server Managers (webmasters) SHOULD NOT specify an arbitrary Internet media type (e.g. "text/plain" or "application/octet-stream") when the media type is unknown. It is better to send no media type if the resource owner has failed to define one for a given representation." => Therefore it is a standard to enable Cross Site Scripting. But Software doesn't have to follow stupid standards! Suggestion for com.caucho.servlets.FileServlet: Somewhere around line 434: if (mime != null) { res.setContentType(mime); } + else if (defaultMimeType != null) { + res.setContentType(defaultMimeType); + } And defaultMimeType is retrieved from a new resin configuration option or maybe a new Servlet InitParameter in app-default.xml |
||||||||
Steps To Reproduce | |||||||||
Additional Information | |||||||||
Attached Files | |||||||||
|
Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
30 total queries executed. 26 unique queries executed. |