Security Report about “Insecure Content-Type Setting”: Does this apply to CSS and JavaScript as well?

I am working through a report of an automated vulnerability scanner. One Item is

Web Server Misconfiguration: Insecure Content-Type Setting ( 11359 )

It’s about not returning the character-set for a given HTML page like so, for example:

HTTP/1.1 200 OK ... Content-Type: text/html; charset=utf-8 ... 

the reported response in question only gives

HTTP/1.1 200 OK ... Content-Type: text/html ... 

Now I understand the implications, but what about CSS and especially JavaScript?

Is the charset of CSS and JavaScript resources strictly defined by a standard?

What if I have internationalized strings in JavaScript variables? Will those by definition have to be escaped? Or would this case require the declaration of a charset?

Letting attacker control content-type, why is this safe?

I found a strange behavior of Shopify, where an attacker can change the extension on a URL and the backend will send back an HTTP content-type matching that extension, for each of these extensions:

atom: application/atom+xml bmp: image/bmp css: text/css csv: text/csv gif: image/gif jpg: image/jpeg json: application/json js: text/javascript mp3: audio/mpeg mpeg: video/mpeg mpg: video/mpeg pdf: application/pdf png: image/png rss: application/rss+xml svg: image/svg+xml tiff: image/tiff tif: image/tiff txt: text/plain xml: application/xml yml: application/x-yaml zip: application/zip 

For example, https://gavinwahl-test.myshopify.com/.foo.yml returns ‘Content-Type: application/x-yaml’, even though it’s a 404. https://gavinwahl-test.myshopify.com/search.svg returns the actual search page HTML but with image/svg+html content-type.

The search page also allows you to insert [html-escaped] text of your choice: https://gavinwahl-test.myshopify.com/search.zip?q=%50%4b%05%06%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 for example returns application/zip and is actually a valid zip file (despite having HTML around it).

It seems like there should be a vulnerability here. The search query is HTML escaped, but we can tell the browser to interpret in some other content type which may have different escaping rules. This has been done with EML (Microsoft Outlook Express mail message) files before. I know there are lots of vulnerabilities where content of one type is interpreted as a different content type, but Shopify claims that this practice is safe and not exploitable.

Is there actually a good argument that this is safe? Is there any way to get a reflected xss payload through based on the content type confusion?

(I have reported this as an issue to Shopify Security and they said it was safe, so I’m posting it publicly)

Would HTTP Header injection allow for an XSS vulnerability if content-type is application/force-download?

I am currently conducting a pentest and I found an application vulnerable to http header injection, where the user input is reflected after the Content-Type header, and the Content-Type is set to application/force-download. That is, the attacker can pass content in the GET parameter that is then reflected in the header. Imagine a request like so:

/vulnerable_application?param=reflected-header_malicious_payload 

Which then yields a reponse like so:

HTTP/1.1 200 OK Date: Wed, 06 Nov 2019 22:14:22 GMT Server: [...] Content-Length: 2 Content-Type: application/force-download; charset=UTF-16 Content-Disposition: attachment; filename=reflected-header_malicious_payload Connection: close 

I am trying to asses the severity of this finding, in particular whether it would allow for an reflected XSS attack. It seems to me that there is no way to get around the Content-Type: application/force-download which leads me to believe that the severity is pretty low.

How do you make a CustomAction depending on a custom ContentType?

I have added a deployable custom action (FlyoutAnchor) to my Site. Now I have to hide this button in all other pages which are not inherit from a specific content type.

is it possible to do this with custom content types? does it work for content types that inherit from? For me it doesn’t work yet (for default content type 0x01 as well!) With the two properties RegistrationType and RegistrationId the button is hidden everywhere.

Custom action Elements.xml:

<?xml version="1.0" encoding="utf-8"?> <Elements xmlns="http://schemas.microsoft.com/sharepoint/">   <CustomAction Id="Ribbon.EditingTools.MyCustomBtn" Location="CommandUI.Ribbon" Title="MyCustomBtn" RegistrationType="ContentType" RegistrationId="0x010100C568DB52D9D0A14D9B2FDCC96666E9F2007948130EC3DB064584E219954237AF3900C0DEBA5E97584817AA6A2C3A0402E78A" >     <CommandUIExtension>       <CommandUIDefinitions>         <CommandUIDefinition Location="Ribbon.EditingTools.CPInsert.Content.Controls._children">           <FlyoutAnchor             Id="Ribbon.EditingTools.Snippets.FlyoutAnchor"             Sequence="20"             LabelText="Add something"             Image16by16="/_layouts/$  Resources:core,Language;/images/formatmap16x16.png" Image16by16Top="-16" Image16by16Left="-16"             Image32by32="/_layouts/$  Resources:core,Language;/images/formatmap32x32.png" Image32by32Top="-32" Image32by32Left="-32"             TemplateAlias="o1"             PopulateDynamically="true"             PopulateOnlyOnce="true"             PopulateQueryCommand="GetDynamicNewMenuXml">           </FlyoutAnchor>         </CommandUIDefinition>       </CommandUIDefinitions>     </CommandUIExtension>   </CustomAction> 

Content type Elements.xml:

<?xml version="1.0" encoding="utf-8"?> <Elements xmlns="http://schemas.microsoft.com/sharepoint/"> <ContentType ID="0x010100C568DB52D9D0A14D9B2FDCC96666E9F2007948130EC3DB064584E219954237AF3900C0DEBA5E97584817AA6A2C3A0402E78A"                    Name="Abstract Page"                    Group="MyPages"                    Description="My Abstract Base Page"                    Inherits="TRUE"                    Hidden="TRUE"                    Version="0">         <FieldRefs></FieldRefs> </ContentType> 

Modifying WebPartPage in SharePoint Online changes ContentType property

I am using the SharePoint Online CSOM library to change an ImageLink property in a WebPartPage. I first check-out the page, make any changes, and then check-in the page. When I check-in the page, the page’s content type shown in SharePoint Online changes from “Web Part Page” to “Wiki Page”. If I re-read the page, the ListItem’s ContentType field is indeed set to a Wiki page ID (“0x0101080091497901794A9E4E8282666A11DAE0AD”). I’m stumped as to what is causing this.

Here’s my C# code:

using (SP.ClientContext context = SharePoint.GetClientContext(site.Url, siteCollection)) {     string serverRelativeUrl = site.GetServerRelativeUrl(url);     SP.File csomFile = context.Web.GetFileByServerRelativeUrl(serverRelativeUrl);     context.Load(csomFile);     context.ExecuteQueryWithRetry();      LimitedWebPartManager limitedWebPartManager = csomFile.GetLimitedWebPartManager(PersonalizationScope.Shared);     context.Load(limitedWebPartManager);     WebPartDefinitionCollection webPartDefinitionCollection = limitedWebPartManager.WebParts;     context.Load(webPartDefinitionCollection, wpdc => wpdc.Include(         wpd => wpd.Id,         wpd => wpd.WebPart,         wpd => wpd.WebPart.Properties));     context.ExecuteQueryWithRetry();      bool pageChanged = false;     bool webPartChanged = false;     foreach (WebPartDefinition wpd in webPartDefinitionCollection)     {         string imageLinkUrl = wpd.WebPart.Properties.GetField<string>(@"ImageLink");         if (!String.IsNullOrEmpty(imageLinkUrl))         {             bool linkChanged = LinkHandler(ref imageLinkUrl);             if (linkChanged)             {                 wpd.WebPart.Properties[@"ImageLink"] = imageLinkUrl;                 webPartChanged = true;             }         }          if (webPartChanged)         {             wpd.SaveWebPartChanges();             pageChanged = true;         }     }      if (pageChanged)     {         context.ExecuteQueryWithRetry();     } }  

Column ContentType does not exist.It may have been deleted by another user while adding/updating the list item

Need some taughts/help here.

I have taken the list template from WSS 2007 and then uploaded the same to the SharePoint 2013. That too after changing the ProductVersion from 3 to 4. After the list was successfully created using the same template,when am trying to add / edit the list item I got this error. “Column ‘ContentType’ does not exist.It may have been deleted by another user.”

I have created a Contentype column as suggested in blogs but this only works if i create a new item and then try to save or edit it

but doesnt work on exisitng items that that was created using the template.

I can view item but when i click edit i get this error:

Application error when access /sites/dev/Lists/xxx/EditForm.aspx, Error=Value cannot be null.   at Microsoft.SharePoint.Utilities.SPUtility.GetProviderName(String fullName)     at Microsoft.SharePoint.Administration.Claims.SPClaimEncodingManager.IsEncodedClaim(String value)     at Microsoft.SharePoint.WebControls.PickerEntity.get_Claim() 

Any help will be appreciated

Magento 2 Curl : is setting Content-Type: application/x-www-form-urlencoded despite providing Content-Type: application/json

I am facing a weird issue while using Magento 2.2.6 default Curl class Magento\Framework\HTTP\Client\Curl.php to send a curl request.
Magento is automatically somehow adding another Content-Type: application/x-www-form-urlencoded despite providing Content-Type: application/json using

$  this->curl->setHeaders(array(                 'Content-Type: application/json',                 'Content-Length:' . strlen($  jsonData)             )); 

I am trying to send a json value via post request.

$  url = trim($  gwUrl, '/') . '/api/' . $  method . '?format=JSON'; $  jsonData = json_encode($  params);         try{             $  this->curl->setOption(CURLINFO_HEADER_OUT, true);             $  this->curl->setOption(CURLOPT_FOLLOWLOCATION, 1);             $  this->curl->setOption(CURLOPT_SSL_VERIFYPEER, 0);             $  this->curl->setHeaders(array(                 'Content-Type: application/json',                 'Content-Length:' . strlen($  jsonData)             ));             $  this->curl->post($  url,$  jsonData);             $  result = $  this->curl->getBody();          } catch(\Exception $  e){             $  result["errorMsg"] = $  this->getServerDownMsg();             $  result = json_encode($  result);         }          return $  result; 

When I added $ this->curl->setOption(CURLINFO_HEADER_OUT, true); I found out that Magento is sending extra content/type in header. Magento header out info

Please let me know if I am doing something wrong as the core PHP curl functions seem to achieve the correct response from server as in that no extra header is set. But I wish to use the core magento way.

MVP where to set Content-type header?

I’m having some problems with deciding where to set the content-type header in a vanilla mvc framework. Should i add it inside the controllers method:

class ApiController extends Controller{      public static function v1(){         header('Content-Type: application/json');         //some logic to output some json     }      }  

My mvc works more like an mvp:

Model <--> Controller <--> View