I found a strange behavior of Shopify, where an attacker can change the extension on a URL and the backend will send back an HTTP content-type matching that extension, for each of these extensions:
atom: application/atom+xml
bmp: image/bmp
css: text/css
csv: text/csv
gif: image/gif
jpg: image/jpeg
json: application/json
js: text/javascript
mp3: audio/mpeg
mpeg: video/mpeg
mpg: video/mpeg
pdf: application/pdf
png: image/png
rss: application/rss+xml
svg: image/svg+xml
tiff: image/tiff
tif: image/tiff
txt: text/plain
xml: application/xml
yml: application/x-yaml
zip: application/zip
For example, https://gavinwahl-test.myshopify.com/.foo.yml returns 'Content-Type: application/x-yaml', even though it's a 404. https://gavinwahl-test.myshopify.com/search.svg returns the actual search page HTML but with image/svg+html content-type.
The search page also allows you to insert [html-escaped] text of your choice: https://gavinwahl-test.myshopify.com/search.zip?q=%50%4b%05%06%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 for example returns application/zip and is actually a valid zip file (despite having HTML around it).
It seems like there should be a vulnerability here. The search query is HTML escaped, but we can tell the browser to interpret in some other content type which may have different escaping rules. This has been done with EML (Microsoft Outlook Express mail message) files before. I know there are lots of vulnerabilities where content of one type is interpreted as a different content type, but Shopify claims that this practice is safe and not exploitable.
Is there actually a good argument that this is safe? Is there any way to get a reflected xss payload through based on the content type confusion?
(I have reported this as an issue to Shopify Security and they said it was safe, so I'm posting it publicly)
