Malicious email vulnerabilty patch

Tony_Aiuto · November 6, 2002, 9:24pm

I was doing some security tests against RT because I’m getting
paranoid in my old age. I noticed that it was easy to send HTML text
as attachements to RT. This can be a bad thing if you use IE to get
to RT. The two patches below are a quick hack to prevent the display of
an HTML attachement, depending on the setting of something in config.pm
Tarballs and zip files will be left alone, so they cause a save (rather
than display) when you press ‘download’.

*** WebRT/html/Ticket/Attachment/dhandler 2002/11/06 21:02:00 1.1
— WebRT/html/Ticket/Attachment/dhandler 2002/11/06 21:01:26
*** 20,25 ****
— 20,30 ----

   }
   my $content_type = $AttachmentObj->ContentType || 'text/plain';

```
 if (! $RT::trustHTMLAttachements) {
```
```
  if($content_type eq 'text/html') {
```
```
      $content_type = 'text/plain';
```
```
  }
```

 }
 SetContentType($content_type);
 $m->out($AttachmentObj->Content); 
 $m->abort;

*** etc/config.pm.dist Mon Oct 7 23:25:22 2002
— etc/config.pm Thu Oct 31 13:35:58 2002
*** 405,410 ****
— 408,419 ----

    ]
   );

if TrustHTMLAttachement is not defined, we will display them
as text. This prevents malicious HTML and javascript from being
sent in a request (although there is probably more to it than that)
$TrustHTMLAttachments = undef;

}}}

Tony Aiuto

Malicious email vulnerabilty patch

if TrustHTMLAttachement is not defined, we will display them

as text. This prevents malicious HTML and javascript from being

sent in a request (although there is probably more to it than that)

}}}