Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Content checks for inline attachments #3372
Reported by @thomascube on 2 May 2011 09:25 UTC as Trac ticket #1487895
Contents of attachments (such as pictures) which are embedded in HTML (multipart/related) messages should be checked before sending them to the client.
This is a XSS vulnerability which exists when using Internet Explorer and is an attack that takes advantage of a bug which exists in the web browser.
Comment by @thomascube on 29 Nov 2011 08:40 UTC
@Enrico204: I'm sorry but your patch isn't a proper solution for this. While it may solve the issue of this ticket it will break some other use cases where people want to download (unmodified) attachments. Also it requires to load all attachment contents into PHP memory which may exhaust some resources and lead to errors. We had good reasons to circumvent output buffering and to pass attachments directly to the client line by line. All this has to be tanken into account when trying to solve this issue.