I was doing some security tests against RT because I’m getting
paranoid in my old age. I noticed that it was easy to send HTML text
as attachements to RT. This can be a bad thing if you use IE to get
to RT. The two patches below are a quick hack to prevent the display of
an HTML attachement, depending on the setting of something in config.pm
Tarballs and zip files will be left alone, so they cause a save (rather
than display) when you press ‘download’.
*** WebRT/html/Ticket/Attachment/dhandler 2002/11/06 21:02:00 1.1
— WebRT/html/Ticket/Attachment/dhandler 2002/11/06 21:01:26
*** 20,25 ****
— 20,30 ----
}
my $content_type = $AttachmentObj->ContentType || 'text/plain';
-
if (! $RT::trustHTMLAttachements) {
-
if($content_type eq 'text/html') {
-
$content_type = 'text/plain';
-
}
-
} SetContentType($content_type); $m->out($AttachmentObj->Content); $m->abort;
*** etc/config.pm.dist Mon Oct 7 23:25:22 2002
— etc/config.pm Thu Oct 31 13:35:58 2002
*** 405,410 ****
— 408,419 ----
]
);
-
if TrustHTMLAttachement is not defined, we will display them
-
as text. This prevents malicious HTML and javascript from being
-
sent in a request (although there is probably more to it than that)
-
$TrustHTMLAttachments = undef;
}}}
Tony Aiuto