#579 closed defect (fixed)
IE6,7 *.htmlファイルのアップロードでXSS脆弱性
| Reported by: | tejimaa | Owned by: | takanashi |
|---|---|---|---|
| Priority: | blocker | Milestone: | OpenPNE2.8beta4 |
| Component: | core【OpenPNEコア部分】 | Version: | |
| Keywords: | Cc: |
Change History (10)
comment:1 Changed 16 years ago by
| Description: | modified (diff) |
|---|
comment:2 Changed 16 years ago by
| Owner: | changed from nobody to openpne |
|---|---|
| Priority: | critical → blocker |
comment:3 Changed 16 years ago by
comment:4 Changed 16 years ago by
comment:6 Changed 16 years ago by
| Owner: | changed from openpne to ebihara |
|---|
comment:7 Changed 16 years ago by
| Milestone: | OpenPNE2.8RC2 → OpenPNE2.8beta3(RC1) |
|---|---|
| Owner: | changed from ebihara to takanashi |
XSS脆弱についてはContent-DispositionヘッダでAttachmentを指定するで対処完了とします。
ファイル拡張子でアップロードの許可・非許可を決定は別チケットとします
comment:8 Changed 16 years ago by
| Milestone: | OpenPNE2.8beta3(RC1) → OpenPNE2.8RC1 |
|---|
comment:9 Changed 16 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
修正方針
・ファイル拡張子でアップロードの許可・非許可を決定
・Content-DispositionヘッダでAttachmentを指定する
上記2点の対処を行います。