Changes between Initial Version and Version 1 of Ticket #11827, comment 11


Ignore:
Timestamp:
Jun 20, 2014, 1:07:56 AM (10 years ago)
Author:
Ryan J Ollos
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #11827, comment 11

    initial v1  
    66However, I think another issue in Content-Type in trac-hacks.
    77
    8 All committers can add any contennts and set any Content-Type to the files via `svn:mime-type` in repository of trac-hacks. Any one can register to trac-hacks. Therefore, a attacker can add html files with attack javascript vectors in the same origin of trac-hacks.org.
     8All committers can add any contents and set any Content-Type to the files via `svn:mime-type` in repository of trac-hacks. Any one can register to trac-hacks. Therefore, a attacker can add html files with attack javascript vectors in the same origin of trac-hacks.org.
    99
    1010Workaround is adding `Content-Disposition: attachment` header for force a file to download if `GET` request for a file.