Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-26848

Confluence allows images to be uploaded with the wrong mime type, which causes them to not display in IE due to nosniff

XMLWordPrintable

      Symptoms

      Confluence does not do any sniffing on the upload of an image, so it's possible to rename the file extension on an image, and it will upload into Confluence without any warnings or errors. This image will then be stored in Confluence with a different mime type to the data contained in the file.

      This was never much of a problem for us, as the browser would sniff the type and display it properly even if we gave it the wrong mime type. Since 4.3.2 however, Confluence now specifies the "nosniff" directive in the HTTP headers, which causes IE to not display these images because the mime type does not match.

      Steps to Reproduce

      1. Find any image file
      2. Rename the image to some other image extension besides what the data actually is
      3. Upload the file to Confluence
      4. Open the page in IE, observe the "X" displayed in place of the image

      Workaround

      Upload images with the correct mime type.

            [CONFSERVER-26848] Confluence allows images to be uploaded with the wrong mime type, which causes them to not display in IE due to nosniff

            Marcel Munerotto added a comment -

            I can verify that the problem appears in 6.10.2 again.

            Marcel Munerotto added a comment - I can verify that the problem appears in 6.10.2 again.

            Tester- Amy added a comment -

            I just replicated this issue in 6.10.2. It's obviously broken again

            Tester- Amy added a comment - I just replicated this issue in 6.10.2. It's obviously broken again

            Anatoli added a comment -

            To add to my previous comment. Given that Balsamiq was setting wrong content type we would need to have an upgrade task that changes content type of img/png to image/png. We cannot not set a nosniff header img/* content types because it opens up security whole in IE.

            image/* content type in IE has a special treatment see (http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx) but img/* doesn't so an attacker would be able to

            • upload malicious *.html file
            • change the name to *.png
            • change the content type to img/png
            • when a user clicks on the attachment link IE will interpret it as html file and execute all the malicious scripts if we don't set up nosniff header

            Anatoli added a comment - To add to my previous comment. Given that Balsamiq was setting wrong content type we would need to have an upgrade task that changes content type of img/png to image/png. We cannot not set a nosniff header img/* content types because it opens up security whole in IE. image/* content type in IE has a special treatment see ( http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx ) but img/* doesn't so an attacker would be able to upload malicious *.html file change the name to *.png change the content type to img/png when a user clicks on the attachment link IE will interpret it as html file and execute all the malicious scripts if we don't set up nosniff header

            VitalyA added a comment -

            Anatoli's edited version would work, although if this is only about a specific incorrect mime type, then those images might as well be fixed up once and forever.

            VitalyA added a comment - Anatoli's edited version would work, although if this is only about a specific incorrect mime type, then those images might as well be fixed up once and forever.

            Anatoli added a comment - - edited

            The problem is caused by the change done for CONF-24918. This is a security change that made sure IE does not interpret text/plain content as html. However we apply this header for everything including images which leads to the problem described in this ticket.

            To fix the problem we would just need to change the code so that it only applies the nosniff header to attachments with content type other than image/*. Should be easy to implement (no upgrade task should be necessary).

            Anatoli added a comment - - edited The problem is caused by the change done for CONF-24918. This is a security change that made sure IE does not interpret text/plain content as html. However we apply this header for everything including images which leads to the problem described in this ticket. To fix the problem we would just need to change the code so that it only applies the nosniff header to attachments with content type other than image/*. Should be easy to implement (no upgrade task should be necessary).

              xtaixe Xavier Sanchez (Inactive)
              dmason David Mason (Inactive)
              Affected customers:
              6 This affects my team
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: