Details
-
Sub-task
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
In NMWebService/AHSWebservice, we have used CONTENT-DISPOSITION header for show/download container logs. Looks like it has security risks. And people have devised content-disposition hacking.
The HTTP 1.1 Standard (RFC 2616) also mentions the possible security side effects of content disposition:
15.5 Content-Disposition Issues RFC 1806 [35], from which the often implemented Content-Disposition (see section 19.5.1) header in HTTP is derived, has a number of very serious security considerations. Content-Disposition is not part of the HTTP standard, but since it is widely implemented, we are documenting its use and risks for implementors. See RFC 2183 [49] (which updates RFC 1806) for details.