Mantis Bugtracker
  

Viewing Issue Advanced Details Jump to Notes ] View Simple ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0006237 [Resin] feature always 05-07-19 08:57 06-26-19 13:38
Reporter stbu View Status public  
Assigned To ferg
Priority normal Resolution fixed Platform
Status closed   OS
Projection none   OS Version
ETA none Fixed in Version 4.0.63 Product Version 4.0.61
  Product Build
Summary 0006237: Feature-Request: Add a configurable default-value for Content-Type to FileServlet
Description TL;DR: A resin configuration option to improve Security regarding Cross Site Scripting with a default MIME-Type.

Current Behavior:
Making an HTTP request to a file which is handled by FileServlet with an file extension where no mime-type mapping is defined -> the HTTP Response will *not* have a Content-Type Header.

Desired Behavior:
Define a default mime type value like "text/plain" in resin.xml
Making an HTTP request to a file which is handled by FileServlet with an file extension where no mime-type mapping is defined -> the default-mime-type value is used in the HTTP Response Header Content-Type.


Background:
Unfortunately Browsers like Firefox or Edge will render a file as HTML if it contains HTML and does *not* have a Content-Type header advising different.

See also: https://www.youtube.com/watch?v=dBJt3eR8-bg [^] (12 Minute Video, titled "Fun with Apache and MIME types - Hanno Böck")

Note: W3C Standard Authoritative Metadata says:
 "Server Managers (webmasters) SHOULD NOT specify an arbitrary Internet media type (e.g. "text/plain" or "application/octet-stream") when the media type is unknown. It is better to send no media type if the resource owner has failed to define one for a given representation."
=> Therefore it is a standard to enable Cross Site Scripting.

But Software doesn't have to follow stupid standards!


Suggestion for com.caucho.servlets.FileServlet:
Somewhere around line 434:

    if (mime != null) {
      res.setContentType(mime);
    }
+ else if (defaultMimeType != null) {
+ res.setContentType(defaultMimeType);
+ }

And defaultMimeType is retrieved from a new resin configuration option or maybe a new Servlet InitParameter in app-default.xml
Steps To Reproduce
Additional Information
Attached Files

- Relationships

- Notes
(0006906)
ferg
06-26-19 13:38

server/1978
 

- Issue History
Date Modified Username Field Change
05-07-19 08:57 stbu New Issue
05-07-19 08:57 stbu Issue Monitored: stbu
06-26-19 13:38 ferg Note Added: 0006906
06-26-19 13:38 ferg Assigned To  => ferg
06-26-19 13:38 ferg Status new => closed
06-26-19 13:38 ferg Resolution open => fixed
06-26-19 13:38 ferg Fixed in Version  => 4.0.63


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
30 total queries executed.
26 unique queries executed.
Powered by Mantis Bugtracker