Mantis Bugtracker
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0006237 [Resin] feature always 05-07-19 08:57 05-07-19 08:57
Reporter stbu View Status public  
Assigned To
Priority normal Resolution open  
Status new   Product Version 4.0.61
Summary 0006237: Feature-Request: Add a configurable default-value for Content-Type to FileServlet
Description TL;DR: A resin configuration option to improve Security regarding Cross Site Scripting with a default MIME-Type.

Current Behavior:
Making an HTTP request to a file which is handled by FileServlet with an file extension where no mime-type mapping is defined -> the HTTP Response will *not* have a Content-Type Header.

Desired Behavior:
Define a default mime type value like "text/plain" in resin.xml
Making an HTTP request to a file which is handled by FileServlet with an file extension where no mime-type mapping is defined -> the default-mime-type value is used in the HTTP Response Header Content-Type.


Background:
Unfortunately Browsers like Firefox or Edge will render a file as HTML if it contains HTML and does *not* have a Content-Type header advising different.

See also: https://www.youtube.com/watch?v=dBJt3eR8-bg [^] (12 Minute Video, titled "Fun with Apache and MIME types - Hanno Böck")

Note: W3C Standard Authoritative Metadata says:
 "Server Managers (webmasters) SHOULD NOT specify an arbitrary Internet media type (e.g. "text/plain" or "application/octet-stream") when the media type is unknown. It is better to send no media type if the resource owner has failed to define one for a given representation."
=> Therefore it is a standard to enable Cross Site Scripting.

But Software doesn't have to follow stupid standards!


Suggestion for com.caucho.servlets.FileServlet:
Somewhere around line 434:

    if (mime != null) {
      res.setContentType(mime);
    }
+ else if (defaultMimeType != null) {
+ res.setContentType(defaultMimeType);
+ }

And defaultMimeType is retrieved from a new resin configuration option or maybe a new Servlet InitParameter in app-default.xml
Additional Information
Attached Files

- Relationships

There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
05-07-19 08:57 stbu New Issue
05-07-19 08:57 stbu Issue Monitored: stbu


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
27 total queries executed.
24 unique queries executed.
Powered by Mantis Bugtracker