persistent xss vulnerability through uploaded files in IE8/9

Type atlassian
Reporter dblack
Modified 2019-08-22T04:07:29


{panel:bgColor=#e7f4fa} NOTE: This bug report is for Confluence Cloud. Using Confluence Server? [See the corresponding bug report|]. {panel}

It is possible to upload a number of file types (checked by extension) to an answers instance and then download them later. Internet Explorer(8/9) sniffs text/plain (and some other content-types) downloads to determine the 'content-type' to use. This means that a text/plain content-type file in internet explorer can be rendered as text/html (as html). To solve this problem it is possible to: 1. set the content-disposition header to be "attachment" 2. and/or set the X-Content-Type-Options header to be "nosniff"