Changes between Initial Version and Version 1 of Ticket #11827, comment 11
- Timestamp:
- Jun 20, 2014, 1:07:56 AM (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #11827, comment 11
initial v1 6 6 However, I think another issue in Content-Type in trac-hacks. 7 7 8 All committers can add any conten nts and set any Content-Type to the files via `svn:mime-type` in repository of trac-hacks. Any one can register to trac-hacks. Therefore, a attacker can add html files with attack javascript vectors in the same origin of trac-hacks.org.8 All committers can add any contents and set any Content-Type to the files via `svn:mime-type` in repository of trac-hacks. Any one can register to trac-hacks. Therefore, a attacker can add html files with attack javascript vectors in the same origin of trac-hacks.org. 9 9 10 10 Workaround is adding `Content-Disposition: attachment` header for force a file to download if `GET` request for a file.