2006-09-14T10:47:45 <ThomasWaldmann> xorAxAx: we need a better solution for that attachment download http header stuff
2006-09-14T10:48:07 <ThomasWaldmann> it even annoys people using firefox on windows
2006-09-14T10:50:20 <xorAxAx> umm
2006-09-14T10:50:30 <xorAxAx> yeah, what do you suggest?
2006-09-14T10:50:49 <xorAxAx> the only goal is to avoid XSS
2006-09-14T10:51:30 <xorAxAx> the bug report talks about a way to fix this by disabling some header lines
2006-09-14T10:51:36 <xorAxAx> they seem to conflict
2006-09-14T10:52:45 <ThomasWaldmann> either that way or just have some setting attachments_insecure = True
2006-09-14T10:53:22 <ThomasWaldmann> maybe we could only allow some specific extensions / mimetypes
2006-09-14T10:53:52 <ThomasWaldmann> most bug / annoyance reports deal with pdf iirc
2006-09-14T10:54:47 <xorAxAx> we just have to do this for all mimetypes that are interpreted (as html) by the browser
2006-09-14T10:55:41 <ThomasWaldmann> can you add some description about how that is exploitable
2006-09-14T10:57:33 <xorAxAx> where?
2006-09-14T10:57:45 <xorAxAx> ah, right, there is a bugreport
2006-09-14T10:57:58 <xorAxAx> i will do it later, i have to go now
2006-09-14T16:02:41 <birkenfeld> moin
2006-09-14T16:03:18 <xorAxAx> hi birkenfeld
2006-09-14T17:22:05 * ThomasWaldmann fixed misc. acl / group bugs
2006-09-14T17:22:46 <ThomasWaldmann> xorAxAx: did you already look at attachments?
2006-09-14T17:23:24 <xorAxAx> ThomasWaldmann: i wrote something on the wiki page
2006-09-14T17:25:32 <ThomasWaldmann> myfile.html is missing <g>
2006-09-14T17:27:07 <ThomasWaldmann> ok, so we could use some black (or white) list with extentions/mimetypes we think are unsafe (or safe)
2006-09-14T17:27:43 <ThomasWaldmann> and depending on membership, either use the safer or the more comfortable method
2006-09-14T17:28:53 <xorAxAx> possible, yeah
2006-09-14T17:29:06 <xorAxAx> but thats just a workaround IMHO
2006-09-14T17:29:07 <ThomasWaldmann> did you already start coding something?
2006-09-14T17:29:11 <xorAxAx> no
2006-09-14T17:29:24 <xorAxAx> currently migrating to linux, that makes me kinda busy :)
2006-09-14T17:29:27 <ThomasWaldmann> ok, then I'll try in 1.6
2006-09-14T17:38:00 <ThomasWaldmann> request.cfg.mimetypes_xss_protect ?
2006-09-14T17:38:24 <ThomasWaldmann> (having a list of mimetypes)
2006-09-14T17:41:12 <xorAxAx> hmm, yeah
2006-09-14T17:43:05 <ThomasWaldmann> can we have a good blacklist or better use whitelist
2006-09-14T17:45:30 <ThomasWaldmann> (the whitelist would be quite long, of course...)
2006-09-14T17:47:36 <xorAxAx> hmm
2006-09-14T17:47:56 <xorAxAx> i think flash files can get cookies as well
2006-09-14T17:48:24 <xorAxAx> but a blacklist should be enough
2006-09-14T17:48:29 <ThomasWaldmann> a legally safer approach for use would be an empty whitelist :)
2006-09-14T18:34:08 <ThomasWaldmann> http://test.wikiwikiweb.de/AttachTest
2006-09-14T21:12:44 * ThomasWaldmann refactors *_regex compile -> cfg object
2006-09-14T21:24:24 <xorAxAx> ThomasWaldmann: maybe you can introduce a shallow cache object? :)
2006-09-14T21:24:39 <xorAxAx> class cacheClass: pass; cache = cacheClass()
2006-09-14T21:24:56 <xorAxAx> in order to have request.cfg.cache.foo_regex
2006-09-14T21:25:10 <xorAxAx> makes life easier
2006-09-14T21:27:07 <ThomasWaldmann> just to find them easier?
2006-09-14T21:28:55 <xorAxAx> yep
2006-09-14T21:29:05 <xorAxAx> and they could be made thread-local
2006-09-14T21:29:12 <xorAxAx> if thats necessary
2006-09-14T22:08:58 <ThomasWaldmann> ok, pushed
MoinMoin: MoinMoinChat/Logs/moin-dev/2006-09-14 (last edited 2007-10-29 19:21:05 by localhost)