See X-Content-Type-Options

Also, consider adding "Content-disposition: attachment" for uploaded files.

Comments

pwolanin’s picture

Pere Orga’s picture

I agree

pwolanin’s picture

Priority: Normal » Critical
greggles’s picture

Drupal.org already has this header in http config, but it's only for pdf and won't work on any sites that use private files (e.g. security.drupal.org or association or maybe some others).

<IfModule mod_headers.c>
  <FilesMatch "\.(?i:pdf)$">
    ForceType application/octet-stream
    Header set Content-Disposition "attachment"
  </FilesMatch>
</IfModule>
pwolanin’s picture

We should use it for all files. Locally, I see it protecting in cases where no content-type is sent by the browser

basic’s picture

Would

ForceType application/octet-stream
Header set Content-Disposition "attachment"

break things like inline images if applied to all files?

greggles’s picture

I mostly agree, although there is a ux regression from using it for all files.

The other option is *only* serving files from a different domain - I'm pretty in favor of that idea.

drumm’s picture

Not being able to view patch/diff files in a browser would be a big regression.

basic’s picture

I have the following diff for varnish, but won't push this change if it means there will be a huge regression:

+   # Prevent XSS on file uploads
+   if (req.url ~ "/files/") {
+     beresp.http.X-Content-Type-Options = "nosniff";
+     beresp.http.Content-Disposition = "attachment";
+   }
basic’s picture

Status: Active » Fixed

I've added 'set beresp.http.X-Content-Type-Options = "nosniff";' in varnish, but kept the content-disposition header off for now. This is now live. It sounds like the next step will be setting up separate domain for user uploaded files, so I'll mark this fixed.

greggles’s picture

For anyone following this and interested, the separate domain idea is in #1730180: serve all drupal.org media from a different domain.

pwolanin’s picture

Status: Fixed » Needs work

I don't see the header being added for all file downloads. Is varnish bypassed for some file extensions?

e.g. https://www.drupal.org/files/issues/foo3.test

pwolanin’s picture

www7.drupal.org is not setting the header, but other back-ends are

basic’s picture

Status: Needs work » Fixed

Yep, that is strange. I'm checking to see why that would be and will force a reload of the active vcl... doing a vcl show it looks like the wrong varnish config was loaded, puppet likely didn't copy the change over.

I've reloaded the vcl on www7 so this should be resolved now.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.