-
Bug
-
Resolution: Timed out
-
Low
-
None
-
None
-
2
-
Severity 3 - Minor
-
-
NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.
The "Internet Explorer MIME Sniffing Security Hole Workaround Policy" option available in JIRA's General Configuration page can be used to turn off rendering of inline attachment including images when set to "Secure: forced download of attachments for all browsers".
However it appears it's possible to escape this rendering setting for the inline image markup by using it with other wiki markup such as a pipe/quote/numbered/bulleted lists to the inline image markup.
Steps to reproduce
- Set "Internet Explorer MIME Sniffing Security Hole Workaround Policy" to "Secure: forced download of attachments for all browsers" in General Configurations.
- Try to render an image attachment inline using !image.png!
- Try adding a pipe in front of the markup as in |!image.png! as well.
- Try adding a pipe in front of the markup as in *!image.png! as well.
- Try adding a pipe in front of the markup as in #!image.png! as well.
- Try adding a pipe in front of the markup as in {quote}!image.png! {quote} as well.
Expected Behavior
- Image is not rendered in any of the above cases based on the setting
Actual behavior
- Image is rendered when markup is used along with the pipe/quote/numbered/bulleted lists etc.
- is related to
-
JRASERVER-43914 Remove Internet Explorer MIME Sniffing Security Hole Workaround Policy
- Closed
- relates to
-
JRACLOUD-42617 Certain wiki markup characters can be used to escape Internet Explorer MIME Sniffing Security Hole Workaround Policy
- Closed