persistent xss vulnerability through uploaded files in IE8/9

Type atlassian
Reporter dblack
Modified 2017-04-02T09:04:17


{panel:bgColor=#e7f4fa} NOTE: This bug report is for Confluence Server. Using Confluence Cloud? [See the corresponding bug report|]. {panel}

It is possible to upload a number of file types (checked by extension) to an answers instance and then download them later. Internet Explorer(8/9) sniffs text/plain (and some other content-types) downloads to determine the 'content-type' to use. This means that a text/plain content-type file in internet explorer can be rendered as text/html (as html). To solve this problem it is possible to: 1. set the content-disposition header to be "attachment" 2. and/or set the X-Content-Type-Options header to be "nosniff"