harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more XSS blockage of uploaded files

Browse Source
This commit is contained in:
friendica 2014-02-09 15:00:47 -08:00
parent b92f00587b
commit b58baa5e4a
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
mod/attach.php
View File

@ -24,7 +24,16 @@ function attach_init(&$a) {
if(! $c) if(! $c)
return; return;
$unsafe_types = array('text/html','text/css','application/javascript');
if(in_array($r['data']['filetype'],$unsafe_types)) {
header('Content-type: text/plain');
}
else {
header('Content-type: ' . $r['data']['filetype']); header('Content-type: ' . $r['data']['filetype']);
}
header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"'); header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"');
if($r['data']['flags'] & ATTACH_FLAG_OS ) { if($r['data']['flags'] & ATTACH_FLAG_OS ) {
$istream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb'); $istream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb');