| Anonymous | Login | Signup for a new account | 12-17-2024 08:33 PST |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0006237 | [Resin] | feature | always | 05-07-19 08:57 | 06-26-19 13:38 | ||||
| Reporter | stbu | View Status | public | ||||||
| Assigned To | ferg | ||||||||
| Priority | normal | Resolution | fixed | ||||||
| Status | closed | Product Version | 4.0.61 | ||||||
| Summary | 0006237: Feature-Request: Add a configurable default-value for Content-Type to FileServlet | ||||||||
| Description |
TL;DR: A resin configuration option to improve Security regarding Cross Site Scripting with a default MIME-Type. Current Behavior: Making an HTTP request to a file which is handled by FileServlet with an file extension where no mime-type mapping is defined -> the HTTP Response will *not* have a Content-Type Header. Desired Behavior: Define a default mime type value like "text/plain" in resin.xml Making an HTTP request to a file which is handled by FileServlet with an file extension where no mime-type mapping is defined -> the default-mime-type value is used in the HTTP Response Header Content-Type. Background: Unfortunately Browsers like Firefox or Edge will render a file as HTML if it contains HTML and does *not* have a Content-Type header advising different. See also: https://www.youtube.com/watch?v=dBJt3eR8-bg [^] (12 Minute Video, titled "Fun with Apache and MIME types - Hanno Böck") Note: W3C Standard Authoritative Metadata says: "Server Managers (webmasters) SHOULD NOT specify an arbitrary Internet media type (e.g. "text/plain" or "application/octet-stream") when the media type is unknown. It is better to send no media type if the resource owner has failed to define one for a given representation." => Therefore it is a standard to enable Cross Site Scripting. But Software doesn't have to follow stupid standards! Suggestion for com.caucho.servlets.FileServlet: Somewhere around line 434: if (mime != null) { res.setContentType(mime); } + else if (defaultMimeType != null) { + res.setContentType(defaultMimeType); + } And defaultMimeType is retrieved from a new resin configuration option or maybe a new Servlet InitParameter in app-default.xml |
||||||||
| Additional Information | |||||||||
| Attached Files | |||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0006906) ferg 06-26-19 13:38 |
server/1978 |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 05-07-19 08:57 | stbu | New Issue | |
| 05-07-19 08:57 | stbu | Issue Monitored: stbu | |
| 06-26-19 13:38 | ferg | Note Added: 0006906 | |
| 06-26-19 13:38 | ferg | Assigned To | => ferg |
| 06-26-19 13:38 | ferg | Status | new => closed |
| 06-26-19 13:38 | ferg | Resolution | open => fixed |
| 06-26-19 13:38 | ferg | Fixed in Version | => 4.0.63 |
| Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
30 total queries executed. 26 unique queries executed. |  |
