[英]Opening PDF files in the browser vulnarability
We have a Java based web application deployed on WebLogic. 我们在WebLogic上部署了一个基于Java的Web应用程序。 We provide direct links to some PDF files, which the users can download/ open in their browser. 我们提供指向某些PDF文件的直接链接,用户可以在其浏览器中下载/打开这些文件。 Our security team is claiming that to allow opening PDF files in the browser is a security risk. 我们的安全团队声称允许在浏览器中打开PDF文件存在安全风险。 So they want to force the users to download the PDF files first rather than opening them in the browser window. 因此,他们希望强制用户先下载PDF文件,而不是在浏览器窗口中打开它们。
Is this really a security risk? 这真的有安全隐患吗?
If the PFD is a trogen/ vulnerable, how come downloading the file first and opening it could solve the problem? 如果PFD是trogen /易受攻击的,那么如何首先下载文件并打开它可以解决问题?
Is their a way to programmatically prevent the user from opening the PDF files in the browser window and to force downloading the PDF files first? 他们是否以编程方式阻止用户在浏览器窗口中打开PDF文件并强制首先下载PDF文件?
To force the browser to give download option to the PDF : 强制浏览器为PDF提供下载选项:
response.setHeader ("Content-Disposition", "attachment;filename=\\"" + filename + "\\""); response.setHeader(“ Content-Disposition”,“ attachment; filename = \\”“ +文件名+” \\“”);
Forcing the user to save a PDF file first and then open it is actually likely to be more risky than allowing it to be opened in the browser. 强迫用户先保存PDF文件然后再打开它,实际上比允许在浏览器中打开它更具风险。
It's not better: 这不是更好:
But it might be worse: 但这可能更糟:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.