|
Mantis - Resin
|
|||||
| Viewing Issue Advanced Details | |||||
|
|
|||||
| ID: | Category: | Severity: | Reproducibility: | Date Submitted: | Last Update: |
| 6237 | feature | always | 05-07-19 08:57 | 06-26-19 13:38 | |
|
|
|||||
| Reporter: | stbu | Platform: | |||
| Assigned To: | ferg | OS: | |||
| Priority: | normal | OS Version: | |||
| Status: | closed | Product Version: | 4.0.61 | ||
| Product Build: | Resolution: | fixed | |||
| Projection: | none | ||||
| ETA: | none | Fixed in Version: | 4.0.63 | ||
|
|
|||||
| Summary: | 0006237: Feature-Request: Add a configurable default-value for Content-Type to FileServlet | ||||
| Description: |
TL;DR: A resin configuration option to improve Security regarding Cross Site Scripting with a default MIME-Type. Current Behavior: Making an HTTP request to a file which is handled by FileServlet with an file extension where no mime-type mapping is defined -> the HTTP Response will *not* have a Content-Type Header. Desired Behavior: Define a default mime type value like "text/plain" in resin.xml Making an HTTP request to a file which is handled by FileServlet with an file extension where no mime-type mapping is defined -> the default-mime-type value is used in the HTTP Response Header Content-Type. Background: Unfortunately Browsers like Firefox or Edge will render a file as HTML if it contains HTML and does *not* have a Content-Type header advising different. See also: https://www.youtube.com/watch?v=dBJt3eR8-bg [^] (12 Minute Video, titled "Fun with Apache and MIME types - Hanno Böck") Note: W3C Standard Authoritative Metadata says: "Server Managers (webmasters) SHOULD NOT specify an arbitrary Internet media type (e.g. "text/plain" or "application/octet-stream") when the media type is unknown. It is better to send no media type if the resource owner has failed to define one for a given representation." => Therefore it is a standard to enable Cross Site Scripting. But Software doesn't have to follow stupid standards! Suggestion for com.caucho.servlets.FileServlet: Somewhere around line 434: if (mime != null) { res.setContentType(mime); } + else if (defaultMimeType != null) { + res.setContentType(defaultMimeType); + } And defaultMimeType is retrieved from a new resin configuration option or maybe a new Servlet InitParameter in app-default.xml |
||||
| Steps To Reproduce: | |||||
| Additional Information: | |||||
| Relationships | |||||
| Attached Files: | |||||
| Notes | |||||
|
|
|||||
|
|
||||