codebrowse displays HTML content unmunged
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Michael Hudson-Doyle | ||
loggerhead |
Fix Released
|
Critical
|
Robey Pointer |
Bug Description
If a branch contains an HTML file, codebrowse can display it by clicking the "download" link. For example:
If the HTML page contains javascript (or loads javascript from offsite with <script src="...">), then it will be executed from the http://
Since we are only serving codebrowse via http and not https, it doesn't expose Launchpad session cookies. However, if we want to serve codebrowse over https and do authentication (e.g. to support browsing of private branches), we will need to remove or neutralise this feature.
Possible ways to neutralise the problem:
* serve all content with an innocuous mime type (e.g. application/
* send a header like "Content-
Changed in launchpad-bazaar: | |
assignee: | nobody → mwhudson |
importance: | Undecided → Critical |
status: | Unconfirmed → Confirmed |
visibility: | private → public |
The fix (to use Content- Disposition: attachment in download links) is online now.