[LPS-159182] Content-Type is not defined in response headers for .map resources. - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: Master
Fix Version/s: 7.3.X, 7.4.3.37 CE GA37, 7.4.3.38 CE GA38, Master
Component/s: Liferay Themes
Labels:

Branch Version/s:

7.3.x
Backported to Branch:

Committed

Description

Background
This issue was spotted during a penetration test

Issue
Content-Type is not defined in response headers for .map resources
With no Content-Type defined, browser might load unexpected file formats and might be considered a security vulnerability.

Steps to reproduce

Start Liferay
Execute the following curl command and check the response header
curl -I 'http://localhost:8080/o/classic-theme/css/main.css.map'
curl -I 'http://localhost:8080/o/classic-theme/css/clay.css.map'

Actual result
Content-Type is not defined.

Expected result
Contains the appropriate Content-Type.

Reproduced in
DXP 7.3 update7
73x Commit: b0743fba0e99ebc4a4c8265b5ae5d430da376b5b
Master Commit: e09a23834186cfe4dc82e8d7de21702e146d98de

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

image-2022-08-08-10-50-14-855.png
90 kB
07/Aug/22 7:50 PM

Activity

People

Assignee:: Yanan Yuan(Ashley Yuan)

Reporter:: Hong Vo

Participants of an Issue:: Hong Vo, Yanan Yuan(Ashley Yuan)

Recent user:: Kiyoshi Lee

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 27/Jul/22 11:47 PM

Updated:: 17/Aug/22 10:28 AM

Resolved:: 03/Aug/22 10:56 AM

Days since last comment:: 42 weeks, 6 days ago

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

Packages

Version	Package
7.3.X
7.4.3.37 CE GA37
7.4.3.38 CE GA38
Master