Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-73600

Prevent PDFExport handler to pass ContentType parameter directly in the URL

    XMLWordPrintable

Details

    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Problem

      A security scanner found that that with the Confluence pdfexport link, it could put an arbitrary value into the contenttype parameter and get it back in the Content-Type header:

      /confluence/download/temp/pdfexport-20210928-280921-0634-3/test-file-
      280921-0634-4.pdf?contentType=bogus-value

      ==>

      Set-Cookie: JSESSIONID=C674......; Path=/con [...]
Content-Disposition: attachment; filename="test-file-280921-063 [...]
Content-Type: bogus-value;charset=UTF-8
Content-Length: 7692
Strict-Transport-Security: max-age=63072000; includeSubdomains

       

      Steps to Reproduce

      • When you go on a Confluence page and click on the   > Export to PDF
        • temporary files will be generated in the <confluence-home-directory>/temp folder
        • The call on the URL <yourConfluenceBaseURL>/spaces/flyingpdf/pdfpageexport.action?pageId=<thePageID>/to export the file will be redirected by the application to point to this file and that's when the contentType is also being dynamically populated in the URL in my example it was 
          <confluencecontextpath>/download/temp/pdfexport-20210929-290921-1420-13/Example-file_e2ecb181551b4c21bebef4eb46476faa-290921-1420-14.pdf?contentType=application/pdf"
        • In our testing, if we remove the contentType from the URL or add a bogus content type I can still download the PDF file which I believe won't be the expected outcome 

      Suggested Solution

      Prevent this contentType parameter to be passed to the URL if doable

      Why This Is Important

      Letting the Content-Type header be controlled by the URL is a security risk. This could be used in code injection attacks - such as including JavaScript in a page with the code Origin being the Confluence server.

      We believe the actual risk is quite mitigated in this specific scenario by: (1) the URL only serving exported PDF versions of the page and (2) the headers including {{Content-Disposition: attachment}}, which should force the browser to only offer saving the contents as a file.

      Workaround

      N/A

      Attachments

        Issue Links

          follows

          VULN-633019 Loading...

          links to

          Web Link Original (master branch) ticket on AsecJ > VULN

          Activity

            People

              Unassigned Unassigned
              2e857505f334 Pascal Oberle
              Votes:
              3 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: