You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "brushed (JIRA)" <ji...@apache.org> on 2019/04/28 18:37:00 UTC
[jira] [Resolved] (JSPWIKI-1106) Attachment forceDownload property
[ https://issues.apache.org/jira/browse/JSPWIKI-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
brushed resolved JSPWIKI-1106.
------------------------------
Resolution: Fixed
Fix Version/s: 2.11.0-M4
Solved in 2.11.0-M4-git-10
> Attachment forceDownload property
> ----------------------------------
>
> Key: JSPWIKI-1106
> URL: https://issues.apache.org/jira/browse/JSPWIKI-1106
> Project: JSPWiki
> Issue Type: Improvement
> Components: Core & storage
> Affects Versions: 2.11.0-M3
> Reporter: brushed
> Priority: Minor
> Fix For: 2.11.0-M4
>
>
>
> Following sequence of actions, can result in an annoying (although not harmful) javascript injection as attachment to a JSPWiki site:
>
> 1) Go to attachments, click Add new attachment, select a html file (that html file has XSS payload {{<img src=x onerror=alert(1)>}}) and click Upload
>
> 2) Now when a user clicks that html attachment, the alert got executed
>
> Copied reply from the jspwiki mailing-list ::
> After discussing the issue, we came to the following conclusion that
> attachments upload can be controlled through
> \{{ jspwiki.attachment.allowed}} and {{jspwiki.attachment.forbidden}} properties,
> although by default JSPWiki allows all types of attachments, which
> seems a reasonable default for small-to-medium, mostly-personal wikis that
> people seem to be using Apache JSPWiki for.
> (...)
> We've also agreed to implement a new property,
> {{jspwiki.attachment.forceDownload}}, as a feature, to allow the administrators
> to specify which type of attachments should force a download when opening,
> or which are allowed to be opened in the browser, in order to have a
> friendlier-and-more-secure default configuration.
>
>
> Such "forceDownload" attachment links would be rendered with the additional "download" attribute. {{<a href="....some-file.html" download>description</a>}}
>
> Example of the properties file:
> {code}
> jspwiki.attachment.forceDownload= .html .htm .mp3
> {code}
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)