Content-Disposition Considered Harmful?

1.7k views Asked by At

I am currently working on a WCF service that returns a file based on a HTTP GET request. The main concept of the service goes like this:

public Stream MyGetMethod()
{
    // Fetch the file
    byte[] myFile = FetchMyFile();

    // Set the name of the file using Content-Disposition
    WebOperationContext.Current.OutgoingResponse
       .Headers.Add("Content-Disposition", "attachment; filename=MyFile");

    // Return the file
    return new MemoryStream(myFile);
}

I use the Content-Disposition header to tell the browser that it should name the file MyFile and that it should show a SaveAs dialog (the attachment part).

While this works, I have been reading some bad things about Content-Disposition.

RFC2616 states:

RFC 1806 [35], from which the often implemented Content-Disposition (see section 19.5.1) header in HTTP is derived, has a number of very serious security considerations. Content-Disposition is not part of the HTTP standard, but since it is widely implemented, we are documenting its use and risks for implementors. See RFC 2183 [49] (which updates RFC 1806) for details.

And from RFC2183 I get:

Since this memo provides a way for the sender to suggest a filename,
a receiving MUA must take care that the sender's suggested filename
does not represent a hazard. Using UNIX as an example, some hazards
would be:

  • Creating startup files (e.g., ".login").
  • Creating or overwriting system files (e.g., "/etc/passwd").
  • Overwriting any existing file.
  • Placing executable files into any command search path (e.g., "~/bin/more").
  • Sending the file to a pipe (e.g., "| sh").

    In general, the receiving MUA should not name or place the file such that it will get interpreted or executed without the user explicitly initiating the action.

I see there are some serious security aspects in this, but I am not quite sure if this should stop me from using it, like in the WCF service above?

As I see it, I think it should be alright since all the major browsers understand the header, and while the code in the snippet above is that simple, I cannot see how that can ever be a security threat? Please correct me if I'm wrong.

Thanks.

1

There are 1 answers

2
Atul Gupta On

Its safe to use Content-Disposition, for additional safety, don't allow user to give file-names, or do add some random unique name prefix or sufix or file extension yourself.