Prevent XSS due to MIME Type Sniffing bugs in old Internet Explorer
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Triaged
|
Low
|
Unassigned | ||
Bug Description
Internet Explorer 7 and older (actually later versions, too, but less bad there) had a 'convenience feature' where they used MIME Type Sniffing to determine what to render content as. The idea there was to work around issues introduced by overpaid sysadmins who had web servers configured to return content with incorrect (or just unknown, to the web browser) MIME types. So instead of just trusting those HTTP response headers, Internet Explorer would second guess the file type of every downloaded image, and then render it based on what it decided the real file type was.
Worse than that, it sometimes got it wrong. If a file hosted on a web server with a .PNG extension was really a .JPG image, but the Response header would state "Content-Type: image/png" then instead of not rendering the image, or attempting to render it as PNG, it would try to render it as JPG, fail to do so, and instead display the binary content as rendered HTML.
And if this file contained any actual HTML code, such as <script>
Here's an example (a JPG file with a HTML-like comment, returned as "Content-Type: image/png" due to its .png file extension):
http://
Accessing this using Internet Explorer 7 or older would trigger a Javascript alert popup. This can be tested using the online web browser rendering service at https:/
At some point Microsoft realized they might be overdoing it slightly, so (instead of fixing the issue, which they actually did later but forgot to mention it in their release notes) they made Internet Explorer react to the non-standard "X-Content-
https:/
This may not actually help with older Internet Explorer versions (7 and below), though, so if you would like to help those versions not exploit their users (assuming there are any left - let us hope that is not the case - or check web server access logs), Launchpad could do the MIME type sniffing during upload of such user contributed content (which you thankfully host on a separate domain name), forcing the file extension and later, when requests are made to retrieve this content, the the Content-Type, to be that of the actual file.
As a reminder, currently I am able to upload a user avatar in JPG format with a .png file extension, which the web server returns as "Content-Type: image/png". Which is a bit wrong, but not much of an issue on any current, sane, web browser.
This is not actually a security vulnerability in Launchpad, so I am not filing it as such. If you should choose not to act upon this report, I will not be disappointed, but hope you enjoyed the story.
| Tom Reynolds (tomreyn) wrote | #1 |
| Colin Watson (cjwatson) wrote | #2 |
| tags: | added: librarian lp-foundations |
| Changed in launchpad: | |
| status: | New → Triaged |
| importance: | Undecided → Low |
(You probably know this already, but just for the record, the librarian does already send "X-Content-
We do in fact already attempt to do MIME type detection at upload time, using https:/
I think using more robust sniffing would be possible, but we absolutely wouldn't want to maintain such code ourselves. https:/