[jira] [Resolved] (JSPWIKI-1106) Attachment forceDownload property

Sun, 28 Apr 2019 11:37:29 -0700 


     [ 
https://issues.apache.org/jira/browse/JSPWIKI-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

brushed resolved JSPWIKI-1106.
------------------------------
       Resolution: Fixed
    Fix Version/s: 2.11.0-M4

Solved in 2.11.0-M4-git-10

> Attachment forceDownload property 
> ----------------------------------
>
>                 Key: JSPWIKI-1106
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-1106
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Core & storage
>    Affects Versions: 2.11.0-M3
>            Reporter: brushed
>            Priority: Minor
>             Fix For: 2.11.0-M4
>
>
>  
> Following sequence of actions,  can result in an annoying (although not 
> harmful) javascript injection as attachment to a JSPWiki site:
>  
>  1) Go to attachments, click Add new attachment, select a html file (that 
> html file has XSS payload {{<img src=x onerror=alert(1)>}}) and click Upload 
>   
>  2) Now when a user clicks that html attachment, the alert got executed
>   
> Copied reply from the jspwiki mailing-list ::
> After discussing the issue, we came to the following conclusion that
>  attachments upload can be controlled through
>  \{{ jspwiki.attachment.allowed}} and {{jspwiki.attachment.forbidden}} 
> properties, 
>  although by default JSPWiki allows all types of attachments, which
>  seems a reasonable default for small-to-medium, mostly-personal wikis that
>  people seem to be using Apache JSPWiki for.
> (...)
> We've also agreed to implement a new property,
>  {{jspwiki.attachment.forceDownload}}, as a feature, to allow the 
> administrators
>  to specify which type of attachments should force a download when opening,
>  or which are allowed to be opened in the browser, in order to have a
>  friendlier-and-more-secure default configuration.
>    
>  
> Such "forceDownload" attachment links would be rendered with the additional 
> "download" attribute.  {{<a href="....some-file.html" 
> download>description</a>}}
>  
> Example of the properties file:
> {code}
> jspwiki.attachment.forceDownload= .html .htm .mp3
> {code}
>  
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to