- From: Glenn Maynard <glenn@zewt.org>
- Date: Sat, 30 Apr 2011 14:45:26 -0400
On Sat, Apr 30, 2011 at 2:24 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote: > Note that somewhat counterintuitively, there would be some security > concerns with markup-level content disposition controls (or any JS > equivalent). For example, consider evil.com doing this: > > <a href='http://example.com/user_content/harmless_text_file.txt' > disposition='attachment; filename="Important_Security_Update.exe"'> To do some contriving, in trying to follow the example: if example.com is a site trusted by the user or administrator, it may be flagged in the browser as "always allow saving sensitive file types from this site". If you can override the C-D header remotely, and if there exists (for example) a text file whose contents happen to alias to a dangerous executable, then you could cause a dangerous executable to be saved to disk. Browsers might need a mechanism to remember whether the effective Content-Disposition header is "trusted" (received from the response, or overridden from the same origin) or not, which is sort of annoying. Maybe a bit more contriving could come up with a more plausible example. > Downloading files in general is a very problematic area, because > there's a very fragile transition between HTTP MIME type and > filesystem extension or other OS-level content determination > mechanism. Many browsers either don't try to do anything useful to > prevent weird "promotions" from safe to unsafe document types; or > enforce decidedly imperfect logic. Allowing attackers to further > control this process has some risks. It's also a very important area for web apps, and one that's currently lacking, so I do think it's worth the work. -- Glenn Maynard
Received on Saturday, 30 April 2011 11:45:26 UTC