New issue
Advanced search Search tips

Issue 787025 link

Starred by 0 users
Status: WontFix
Owner: ----
Closed: Nov 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Mime sniffing on the text/plain Content-Type (with ignoring X-Content-Type-Options header) using video content

Reported by h1.sp1...@gmail.com, Nov 20 2017 
Hello. Today i faced with strange issue - i was able to view .txt file with text/plain content-type as video, despite X-Content-Type-Options: nosniff was set globally for all files.

Proof-of-Concept: https://xpoc.pro/security.txt (it's text file with text/plain Content-Type, but browser sees it as videofile)
X-Content-Type-Options: nosniff didn't work because file is too large, and response headers was not obtained.

Reproduction steps:
I used very large .mkv file, and just changed it format to the .txt.
Next, i uploaded it to the server, and was surprised that it was played as video!
In IE/Firefox it stays as text.

It can be a security issue in some cases, because it bypasses X-Content-Type-Options: nosniff header - any user, which can upload .txt files to the some web-server can make large .txt file, and successfully inject arbitrary content there.

Comment 1 by mmoroz@chromium.org, Nov 20 2017

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: WontFix (was: Unconfirmed)
Thanks for your report. I don't think that it has security implications.

"any user, which can upload .txt files to the some web-server can make large .txt file, and successfully inject arbitrary content there."

With a web-server under control, you can serve any kind of data for any URL.

As for "Content-Type:text/plain" being ignored, I believe that's intended behavior as per https://cs.chromium.org/chromium/src/content/common/loader_util.cc?rcl=7fb06bca6072d21575fb3e7f495aa50f0ecc17bf&l=37


It shouldn't happen if the server sets "X-Content-Type-Options: nosniff" header, but it doesn't:


$ curl -i https://xpoc.pro/security.txt | more
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0HTTP/1.1 200 OK
Server: nginx
Date: Mon, 20 Nov 2017 19:00:40 GMT
Content-Type: text/plain
Content-Length: 1929852571
Last-Modified: Mon, 20 Nov 2017 17:13:40 GMT
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: antibot-hostia=true; path=/; domain=xpoc.pro; expires=Tue, 21-Nov-2017 19:00:40 GMT
ETag: "5a130d44-7307369b"
Accept-Ranges: bytes

Eߣ�B��B��B��B�B��matroskaB��B��S�g

Comment 2 by h1.sp1...@gmail.com, Nov 20 2017 

The point was in next:
Let's assume, that server allows text user content to be uploaded, but no media. In this case this restriction can be bypassed using large .txt files with video content (or other media content)

The X-Content-Type-Options is actually set for all files, but because this file is very big (around 2 GB) - this header will be returned only after complete file loading (and Chrome read it in chunks). That's why you are not seeing it i think.

Look for example to the https://xpoc.pro/security2.txt - little file. It returns X-Content-Type-Options, because it is small, and was loaded fast.

You should be abble to reproduce this issue by downloading the https://xpoc.pro/security.txt and deploing it on your own host, with setting X-Content-Type-Options header

Comment 3 by h1.sp1...@gmail.com, Nov 20 2017 

Using Chrome Browser, the file will respond with 200 and further multiple 206 Partial Content codes because of Transfer-Encoding: chunked header in the 1st response, with no X-Content-Type-Options header, even if it strictly set in the web server's config.

Comment 4 by h1.sp1...@gmail.com, Nov 20 2017 

Sorry, it appeared to be nginx bug, when the server was unable to set X-Content-Type-Options header for the large files.
The MIME sniffing didn't work with different server version (which set X-Content-Type-Options correctly)
My apologizes for taking your time.

Sign in to add a comment