brushed created JSPWIKI-1106:
--------------------------------
Summary: Attachment forceDownload property
Key: JSPWIKI-1106
URL: https://issues.apache.org/jira/browse/JSPWIKI-1106
Project: JSPWiki
Issue Type: Improvement
Components: Core & storage
Affects Versions: 2.11.0-M3
Reporter: brushed
Following sequence of actions, can result in an annoying (although not
harmful) javascript injection as attachment to a JSPWiki site:
1) Go to attachments, click Add new attachment, select a html file (that html
file has XSS payload {{<img src=x onerror=alert(1)>}}) and click Upload
2) Now when a user clicks that html attachment, the alert got executed
Copied reply from the jspwiki mailing-list ::
After discussing the issue, we came to the following conclusion that
attachments upload can be controlled through
\{{ jspwiki.attachment.allowed}} and {{jspwiki.attachment.forbidden}}
properties,
although by default JSPWiki allows all types of attachments, which
seems a reasonable default for small-to-medium, mostly-personal wikis that
people seem to be using Apache JSPWiki for.
(...)
We've also agreed to implement a new property,
{{jspwiki.attachment.forceDownload}}, as a feature, to allow the administrators
to specify which type of attachments should force a download when opening,
or which are allowed to be opened in the browser, in order to have a
friendlier-and-more-secure default configuration.
Such "forceDownload" attachment links would be rendered with the additional
"download" attribute. {{<a href="....some-file.html" download>description</a>}}
Example of the properties file:
{code}
jspwiki.attachment.forceDownload= .html .htm .mp3
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
