ここの情報は古いです。ご理解頂いた上でお取り扱いください。

Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#579 closed defect (fixed)

IE6,7 *.htmlファイルのアップロードでXSS脆弱性

Reported by: tejimaa Owned by: takanashi
Priority: blocker Milestone: OpenPNE2.8beta4
Component: core【OpenPNEコア部分】 Version:
Keywords: Cc:

Change History (10)

comment:1 Changed 13 years ago by tejimaa

Description: modified (diff)

comment:2 Changed 13 years ago by takanashi

Owner: changed from nobody to openpne
Priority: criticalblocker

comment:3 Changed 13 years ago by takanashi

修正方針
・ファイル拡張子でアップロードの許可・非許可を決定
・Content-DispositionヘッダでAttachmentを指定する
上記2点の対処を行います。

comment:4 Changed 13 years ago by takanashi

comment:5 Changed 13 years ago by ebihara

やります。

branches/develop/2_8RC2からブランチを切ってそこで作業します。

comment:6 Changed 13 years ago by ebihara

Owner: changed from openpne to ebihara

comment:7 Changed 13 years ago by takanashi

Milestone: OpenPNE2.8RC2OpenPNE2.8beta3(RC1)
Owner: changed from ebihara to takanashi

XSS脆弱についてはContent-DispositionヘッダでAttachmentを指定するで対処完了とします。

ファイル拡張子でアップロードの許可・非許可を決定は別チケットとします

comment:8 Changed 13 years ago by takanashi

Milestone: OpenPNE2.8beta3(RC1)OpenPNE2.8RC1

comment:9 Changed 13 years ago by takanashi

Resolution: fixed
Status: newclosed

comment:10 Changed 13 years ago by takanashi

拡張子チェックについては#585で対処する

Note: See TracTickets for help on using tickets.