Description

If I click on an attachment with Internet Explorer and select "open," the application fails to find the file.

Steps to reproduce

  1. Attach a file.
  2. Click on the link using Internet Explorer. Select "Open" instead of "Save"
  3. Observe "This file could not be found" error message in application (e.g. Word or Powerpoint).

Example

This page.

Testing_an_IE_bug.doc

Testing_an_IE_bug.jpg

Details

This wiki.

Workaround

Discussion

Why is this a moin bug?

--- a/MoinMoin/action/AttachFile.py     Fri Mar 31 19:56:30 2006 +0000
+++ b/MoinMoin/action/AttachFile.py     Wed Apr 05 08:32:20 2006 +0000
@@ -644,7 +644,7 @@ def get_file(pagename, request):
-        "Content-Disposition: inline; filename=\"%s\"" % filename.encode(config.charset),
+        "Content-Disposition: attachment; filename=\"%s\"" % filename.encode(config.charset),

Thanks for tracking this down. Note that the above header line is completly valid HTTP.

Please try to check the options that are related to the .doc file entry in the CLASSES_ROOT registry branch. Check the DDE command line and downgrade to non-DDE to test this.

HKEY_CLASSES_ROOT\.doc\(default)

Word.Document.8

HKEY_CLASSES_ROOT\.doc\Content Type

application/msword

HKEY_CLASSES_ROOT\.doc\OpenWithProgIDs\(default)

blank

HKEY_CLASSES_ROOT\.doc\OpenWithProgIDs\openDocument.WriteDocument.1

blank

HKEY_CLASSES_ROOT\.doc\PersistentHandler\(default)

{... long string of hex with some dashes ...}

HKEY_CLASSES_ROOT\.doc\Word.Document.8\(default)

(value not set)

HKEY_CLASSES_ROOT\.doc\Word.Document.8\ShellNew\(default)

(value not set)

HKEY_CLASSES_ROOT\.doc\Word.Document.8\ShellNew\FileName

winword8.doc

You can use the folder properties window to do it or check the "Word.Document.8" branch of the registry.

error_nonDDE.jpg

I should say that it isn't just word. I've tried a number of things: .ppt, .doc, .pdf, and .igx (Corel iGrafx) and all give some kind of error that says they can't find the file. I've looked in the temp directory and it's not there.

OK. I can reproduce the bug here. But I don't know a solution besides the abovementioned workaround. I strongly suggest not to reverse apply the above patch because it allows for simple XSS attacks that can lead to impersonation of other users.

I've found the bug in our intranet wikis, too (after upgrading from 1.3.4 to 1.5.4 code base). None of the IE users was able to open attachments correctly. By applying the patch above (replacing "attachment" with "inline") I was able to get back the "normal" behaviour. I suggest to re-think this trade-off between making XSS-attacks more difficult and excluding all IE users. What about making the way the attachments are served configurable (if it cannot be reverted to old behaviour)? -- DavidLinke 2006-08-21 15:59:15

Is this known http://joseph.randomnetworks.com/archives/2004/10/01/making-ie-accept-file-downloads ? example code

if(strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE')) {
    session_cache_limiter("public");
}
session_start();
header('Content-type: application/octet-stream');
header('Content-Disposition: attachment; filename="report.csv"');
print($csv);

Simply changing attachments to inline wasn't enough. The following is why it doesn't work in IE. http://support.microsoft.com/default.aspx?scid=kb;en-us;243717&Product=ie The solution I found was to replace 'attachment' with 'inline' and also commenting out all the 'self.setHttpHeader' in the 'disableHttpCaching' method in request.py. For me that was lines 246,247,248,252,256

There's probably a better way to fix this but this was the simple fix I found that worked for me.

I doubt that simply removing the cache disabling code will make you happy. Your IE will maybe show you stale data now and then.

(!) IE bug that seems to cause this: http://support.microsoft.com/kb/323308/EN-US/ - Microsoft also provides registry changes to fix the problem.

Our Apache setup on test.wikiwikiweb.de also seems to influence IE behaviour. Sometimes you get 2 or 3 different behaviours by just "trying again". It behaves different with standalone server (which even worked with SSL using tlslite library).

How to exploit systems that send attachments as "inline"

  1. Create a short HTML file that transmits the current cookie via a simple XmlHttpRequest etc. to another (evil) site, or just display an alert window. In the end, it could redirect to another wiki page.

  2. Attach this file to a wiki page.
  3. Link to the attachment like e.g. this: [attachment:myfile.html Further explanations]

  4. Login and click the link.

This is a typical XSS attack and can be used easily to steal the login data.

Plan


CategoryMoinMoinBugFixed

MoinMoin: MoinMoinBugs/CantOpenAttachmentsWithInternetExplorer (last edited 2007-10-29 19:20:43 by localhost)