Moodle

Invalid Download Content Type

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Won't Fix
  • Affects Version/s: 1.9.3
  • Fix Version/s: None
  • Component/s: Gradebook
  • Labels:
    None
  • Environment:
    Debian Linux, WatchGuard firewall

Description

In a number of places in the Moodle codebase there is use of the "application/download" pseudo-MIME content type. This invalid type is blocked by our corporate firewall, preventing various exports and downloads from Moodle. At a minimum, the content type should be changed to the valid "application/octet-stream". Ideally, it should be set depending on the file type. For example, text/plain for textual export, application/xml for XML, etc. The use of the "Content-Disposition" HTTP response header should be sufficient to trigger most browsers to download the file. Those that don't aren't worth supporting.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Petr Škoda (skodak) added a comment -

Unfortunately we need to send as bad headers as possible in order to prevent XSS from student uploaded files, sorry - this can not be changed.
Only Firefox does what it is told to do

Show
Petr Škoda (skodak) added a comment - Unfortunately we need to send as bad headers as possible in order to prevent XSS from student uploaded files, sorry - this can not be changed. Only Firefox does what it is told to do
Hide
Permalink
Peter Chamberlin added a comment -

There must surely be better ways of mitigating XSS risk than breaking HTTP header standards? With Content-Disposition the browser will prompt for file save regardless of Content-Type. While it is true that IE6/7 can override MIME type for rendered media, I don't believe that's the case for attachments. See http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx

Show
Peter Chamberlin added a comment - There must surely be better ways of mitigating XSS risk than breaking HTTP header standards? With Content-Disposition the browser will prompt for file save regardless of Content-Type. While it is true that IE6/7 can override MIME type for rendered media, I don't believe that's the case for attachments. See http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
Hide
Permalink
Petr Škoda (skodak) added a comment -

There is a way - use two separate addresses in different domains.
It is not our fault that browsers are not respecting standards and are opening files directly from web instead of saving and THEN opening without session.

Just getting Save/Open prompt is not enough, we must prevent opening of files "in browser", sorry.

This is not 100% secure, but it is the best we can get.

Show
Petr Škoda (skodak) added a comment - There is a way - use two separate addresses in different domains. It is not our fault that browsers are not respecting standards and are opening files directly from web instead of saving and THEN opening without session. Just getting Save/Open prompt is not enough, we must prevent opening of files "in browser", sorry. This is not 100% secure, but it is the best we can get.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.