hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-07 18:14:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Avoid inline display of HTML/JS bitstreams. Add JS to list of known formats so that it can be recognized by DSpace.

Browse Source
This commit is contained in:
Tim Donohue
2024-06-06 11:44:28 -05:00
parent 4c5a91fc02
commit 356a028186
3 changed files with 21 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
dspace-server-webapp/src/main/java/org/dspace/app/rest/BitstreamRestController.java
View File

@@ -209,7 +209,13 @@ public class BitstreamRestController {
if (format == null) { if (format == null) {
return false; return false;
} }
List<String> formats = List.of((configurationService.getArrayProperty("webui.content_disposition_format"))); // Default to always downloading HTML/JavaScript files. These formats can embed JavaScript which would be run
// in the user's browser when loaded inline. This could be the basis for an XSS attack.
// RTF is also added because most browsers attempt to display it as plain text.
String [] defaultFormats = { "text/html", "text/javascript", "text/richtext" };
List<String> formats = List.of(configurationService.getArrayProperty("webui.content_disposition_format",
defaultFormats));
boolean download = formats.contains(format.getMIMEType()); boolean download = formats.contains(format.getMIMEType());
if (!download) { if (!download) {
for (String ext : format.getExtensions()) { for (String ext : format.getExtensions()) {

5
dspace/config/dspace.cfg
View File

@@ -1387,6 +1387,11 @@ webui.content_disposition_threshold = 8388608
# Set which mimetypes, file extensions will NOT be opened inline # Set which mimetypes, file extensions will NOT be opened inline
# Files with these mimetypes/extensions will always be downloaded, # Files with these mimetypes/extensions will always be downloaded,
# regardless of the threshold above # regardless of the threshold above
# We HIGHLY RECOMMEND forcing HTML / Javascript to always download.
# If a bitstream contained malicious Javascript, it would be executed in a user's browser when opened inline.
webui.content_disposition_format = text/html
webui.content_disposition_format = text/javascript
# RTF is always downloaded because most browsers attempt to display it as plain text.
webui.content_disposition_format = text/richtext webui.content_disposition_format = text/richtext
#### Multi-file HTML document/site settings ##### #### Multi-file HTML document/site settings #####

9
dspace/config/registries/bitstream-formats.xml
View File

@@ -827,4 +827,13 @@
<extension>avif</extension> <extension>avif</extension>
</bitstream-type> </bitstream-type>
<bitstream-type>
<mimetype>text/javascript</mimetype>
<short_description>JavaScript</short_description>
<description>JavaScript</description>
<support_level>1</support_level>
<internal>false</internal>
<extension>js</extension>
</bitstream-type>
</dspace-bitstream-types> </dspace-bitstream-types>