Details
-
Bug
-
Resolution: Fixed
-
None
-
Critical
-
This issue is security related!
-
Security related fix.
-
Empty show more show less
Description
Description:
problem
Since for reference files nearly all fileformats can be used (including HTML) this files are opened as new browser tab in the same context as the application itself. Therefore the reference file has access to security related data like cookies etc.
solution
Provide the access to reference files (Editor_ReferencefileController::getAction) as download (Content-Disposition: attachment; filename=FILENAME).