MoinMoin: MoinMoinChat/Logs/moin-dev/2006-09-14

2006-09-14T10:47:45  <ThomasWaldmann> xorAxAx: we need a better solution for that attachment download http header stuff
2006-09-14T10:48:07  <ThomasWaldmann> it even annoys people using firefox on windows
2006-09-14T10:50:20  <xorAxAx> umm
2006-09-14T10:50:30  <xorAxAx> yeah, what do you suggest?
2006-09-14T10:50:49  <xorAxAx> the only goal is to avoid XSS
2006-09-14T10:51:30  <xorAxAx> the bug report talks about a way to fix this by disabling some header lines
2006-09-14T10:51:36  <xorAxAx> they seem to conflict
2006-09-14T10:52:45  <ThomasWaldmann> either that way or just have some setting attachments_insecure = True
2006-09-14T10:53:22  <ThomasWaldmann> maybe we could only allow some specific extensions / mimetypes
2006-09-14T10:53:52  <ThomasWaldmann> most bug / annoyance reports deal with pdf iirc
2006-09-14T10:54:47  <xorAxAx> we just have to do this for all mimetypes that are interpreted (as html) by the browser
2006-09-14T10:55:41  <ThomasWaldmann> can you add some description about how that is exploitable
2006-09-14T10:57:33  <xorAxAx> where?
2006-09-14T10:57:45  <xorAxAx> ah, right, there is a bugreport
2006-09-14T10:57:58  <xorAxAx> i will do it later, i have to go now
2006-09-14T16:02:41  <birkenfeld> moin
2006-09-14T16:03:18  <xorAxAx> hi birkenfeld
2006-09-14T17:22:05  * ThomasWaldmann fixed misc. acl / group bugs
2006-09-14T17:22:46  <ThomasWaldmann> xorAxAx: did you already look at attachments?
2006-09-14T17:23:24  <xorAxAx> ThomasWaldmann: i wrote something on the wiki page
2006-09-14T17:25:32  <ThomasWaldmann> myfile.html is missing <g>
2006-09-14T17:27:07  <ThomasWaldmann> ok, so we could use some black (or white) list with extentions/mimetypes we think are unsafe (or safe)
2006-09-14T17:27:43  <ThomasWaldmann> and depending on membership, either use the safer or the more comfortable method
2006-09-14T17:28:53  <xorAxAx> possible, yeah
2006-09-14T17:29:06  <xorAxAx> but thats just a workaround IMHO
2006-09-14T17:29:07  <ThomasWaldmann> did you already start coding something?
2006-09-14T17:29:11  <xorAxAx> no
2006-09-14T17:29:24  <xorAxAx> currently migrating to linux, that makes me kinda busy :)
2006-09-14T17:29:27  <ThomasWaldmann> ok, then I'll try in 1.6
2006-09-14T17:38:00  <ThomasWaldmann> request.cfg.mimetypes_xss_protect ?
2006-09-14T17:38:24  <ThomasWaldmann> (having a list of mimetypes)
2006-09-14T17:41:12  <xorAxAx> hmm, yeah
2006-09-14T17:43:05  <ThomasWaldmann> can we have a good blacklist or better use whitelist
2006-09-14T17:45:30  <ThomasWaldmann> (the whitelist would be quite long, of course...)
2006-09-14T17:47:36  <xorAxAx> hmm
2006-09-14T17:47:56  <xorAxAx> i think flash files can get cookies as well
2006-09-14T17:48:24  <xorAxAx> but a blacklist should be enough
2006-09-14T17:48:29  <ThomasWaldmann> a legally safer approach for use would be an empty whitelist :)
2006-09-14T18:34:08  <ThomasWaldmann> http://test.wikiwikiweb.de/AttachTest
2006-09-14T21:12:44  * ThomasWaldmann refactors *_regex compile -> cfg object
2006-09-14T21:24:24  <xorAxAx> ThomasWaldmann: maybe you can introduce a shallow cache object? :)
2006-09-14T21:24:39  <xorAxAx> class cacheClass: pass; cache = cacheClass()
2006-09-14T21:24:56  <xorAxAx> in order to have request.cfg.cache.foo_regex
2006-09-14T21:25:10  <xorAxAx> makes life easier
2006-09-14T21:27:07  <ThomasWaldmann> just to find them easier?
2006-09-14T21:28:55  <xorAxAx> yep
2006-09-14T21:29:05  <xorAxAx> and they could be made thread-local
2006-09-14T21:29:12  <xorAxAx> if thats necessary
2006-09-14T22:08:58  <ThomasWaldmann> ok, pushed