Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Timed out
Priority: Medium
Fix Version/s: None
Affects Version/s: 5.8-m26
Component/s: Editor - Attachment
Labels:
- affects-server
- editor
- files
- tidy

Support reference count:
1
Symptom Severity:
Severity 2 - Major
UIS:
2
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Upload or rename an existing attachment with a name like "\.png" or "';alert(666)//\';alert(666)//";alert(666)//\";alert(666)//--></SCRIPT>">'><SCRIPT>alert(666)</SCRIPT>
'"><script>alert(666)</script>.png"

The attachment will not download (<base url>/download/attachments/<page id>/%5C.png will return 400) so it won't display or work on any macro, etc

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

jira-capture-screenshot-20150424-144133-698.png
36 kB
24/Apr/2015 4:43 AM

Activity

People

Assignee:: Unassigned

Reporter:: Jonas Soderstrom (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 24/Apr/2015 4:43 AM

Updated:: 11/Oct/2018 8:52 AM

Resolved:: 20/Sep/2018 1:10 PM