diff options
author | Harrison Healey <harrisonmhealey@gmail.com> | 2017-07-14 14:42:08 -0400 |
---|---|---|
committer | Saturnino Abril <saturnino.abril@gmail.com> | 2017-07-15 02:42:08 +0800 |
commit | a20ddb40476837f8686d9f73b449920f4e465d4a (patch) | |
tree | e633521a7183cb9b119301708a67d5a22de0eb29 /api/file.go | |
parent | 22d34476e5d8d98baeec506f24e78ea0ff8932b9 (diff) | |
download | chat-a20ddb40476837f8686d9f73b449920f4e465d4a.tar.gz chat-a20ddb40476837f8686d9f73b449920f4e465d4a.tar.bz2 chat-a20ddb40476837f8686d9f73b449920f4e465d4a.zip |
Fixed downloading of image files (#6934)
* Fixed downloading of image files
* Fixed captitalization
* Fixed missing import
* Rename image to media
Diffstat (limited to 'api/file.go')
-rw-r--r-- | api/file.go | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/api/file.go b/api/file.go index 1e7c7d66d..3b49be5e0 100644 --- a/api/file.go +++ b/api/file.go @@ -7,6 +7,7 @@ import ( "net/http" "net/url" "strconv" + "strings" l4g "github.com/alecthomas/log4go" "github.com/gorilla/mux" @@ -15,6 +16,15 @@ import ( "github.com/mattermost/platform/utils" ) +var UNSAFE_CONTENT_TYPES = [...]string{ + "application/javascript", + "application/ecmascript", + "text/javascript", + "text/ecmascript", + "application/x-javascript", + "text/html", +} + func InitFile() { l4g.Debug(utils.T("api.file.init.debug")) @@ -282,13 +292,21 @@ func getPublicFileOld(c *Context, w http.ResponseWriter, r *http.Request) { func writeFileResponse(filename string, contentType string, bytes []byte, w http.ResponseWriter, r *http.Request) *model.AppError { w.Header().Set("Cache-Control", "max-age=2592000, private") w.Header().Set("Content-Length", strconv.Itoa(len(bytes))) + w.Header().Set("X-Content-Type-Options", "nosniff") - if contentType != "" { - w.Header().Set("Content-Type", contentType) + if contentType == "" { + contentType = "application/octet-stream" } else { - w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer + for _, unsafeContentType := range UNSAFE_CONTENT_TYPES { + if strings.HasPrefix(contentType, unsafeContentType) { + contentType = "text/plain" + break + } + } } + w.Header().Set("Content-Type", contentType) + w.Header().Set("Content-Disposition", "attachment;filename=\""+filename+"\"; filename*=UTF-8''"+url.QueryEscape(filename)) // prevent file links from being embedded in iframes |