about summary refs log tree commit diff stats
path: root/README.md
diff options
context:
space:
mode:
authorKelly Rauchenberger <fefferburbia@gmail.com>2016-04-16 14:22:25 -0400
committerKelly Rauchenberger <fefferburbia@gmail.com>2016-04-16 14:22:25 -0400
commitff6d29e7f6b587a2536227834950986dbbcd580b (patch)
tree11baa1d8a29ccbc6bdfd7a1323361ab28a26d499 /README.md
parentf7b91944738e732ab4bfea50ea0a2fffd92a51a6 (diff)
downloaddifference-ff6d29e7f6b587a2536227834950986dbbcd580b.tar.gz
difference-ff6d29e7f6b587a2536227834950986dbbcd580b.tar.bz2
difference-ff6d29e7f6b587a2536227834950986dbbcd580b.zip
Added Accept header to image requests
The canonical bot tweeted an image (https://twitter.com/differencebot/status/721395886291558400) containing an advertisement instead of the requisite object. Previously, the only defense against servers serving the wrong image was that we ignore 300 response codes. This image, when loaded in Google Chrome, loaded a document with a content type of text/html, which is also ignored by difference, and which executed JavaScript redirecting Chrome to a malware-infested page. difference, however, saw the response as an image with content type image/gif (notably different from the URL, which indicated a JPEG image). It turned out that Chrome was using an Accept header that prioritized text/html documents over most other content types, which the malicious server used to decide what content to serve. Changing difference to send the same header caused the malicious server to also serve the text/html document to difference, which difference then discarded. Whilst the Accept header being used now does prioritize text/html documents over images, servers with legitimate content will not use that information when deciding what document to serve.

The malicious test URL is http://www.northvalleymedicalsupply.com/shop/products_pictures/adj%20hinge%20knee%20brace.jpg.
Diffstat (limited to 'README.md')
0 files changed, 0 insertions, 0 deletions