Uploaded image for project: 'JSPWiki'
  1. JSPWiki
  2. JSPWIKI-1106

Attachment forceDownload property

Bulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersConvert to sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.11.0-M3
    • 2.11.0-M4
    • Core & storage
    • None

    Description

       

      Following sequence of actions,  can result in an annoying (although not harmful) javascript injection as attachment to a JSPWiki site:

       
      1) Go to attachments, click Add new attachment, select a html file (that html file has XSS payload <img src=x onerror=alert(1)>) and click Upload 
       
      2) Now when a user clicks that html attachment, the alert got executed
       

      Copied reply from the jspwiki mailing-list ::

      After discussing the issue, we came to the following conclusion that
      attachments upload can be controlled through
      {{ jspwiki.attachment.allowed}} and jspwiki.attachment.forbidden properties,
      although by default JSPWiki allows all types of attachments, which
      seems a reasonable default for small-to-medium, mostly-personal wikis that
      people seem to be using Apache JSPWiki for.

      (...)

      We've also agreed to implement a new property,
      jspwiki.attachment.forceDownload, as a feature, to allow the administrators
      to specify which type of attachments should force a download when opening,
      or which are allowed to be opened in the browser, in order to have a
      friendlier-and-more-secure default configuration.
        
       
      Such "forceDownload" attachment links would be rendered with the additional "download" attribute. <a href="....some-file.html" download>description</a>
       
      Example of the properties file:

      jspwiki.attachment.forceDownload= .html .htm .mp3
      

       

       

       

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            brushed Dirk Frederickx
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment