diff options
author | Christopher Speller <crspeller@gmail.com> | 2017-07-18 15:45:23 -0700 |
---|---|---|
committer | Christopher Speller <crspeller@gmail.com> | 2017-07-18 15:45:23 -0700 |
commit | 97f34e483b0fa8b2a8cfe75b72168cfa38cc9d80 (patch) | |
tree | ec2d68077dd2b12de3173871622f3ec2a2b61d35 /api | |
parent | 21a3219b9b1df033635631afa751742bd4c56ea0 (diff) | |
parent | a350f4dc0754e1aeabb64bd712ce05f7c59cfa60 (diff) | |
download | chat-97f34e483b0fa8b2a8cfe75b72168cfa38cc9d80.tar.gz chat-97f34e483b0fa8b2a8cfe75b72168cfa38cc9d80.tar.bz2 chat-97f34e483b0fa8b2a8cfe75b72168cfa38cc9d80.zip |
Merge branch 'release-4.0'
Diffstat (limited to 'api')
-rw-r--r-- | api/file.go | 24 | ||||
-rw-r--r-- | api/oauth.go | 4 | ||||
-rw-r--r-- | api/user.go | 2 |
3 files changed, 24 insertions, 6 deletions
diff --git a/api/file.go b/api/file.go index 1e7c7d66d..3b49be5e0 100644 --- a/api/file.go +++ b/api/file.go @@ -7,6 +7,7 @@ import ( "net/http" "net/url" "strconv" + "strings" l4g "github.com/alecthomas/log4go" "github.com/gorilla/mux" @@ -15,6 +16,15 @@ import ( "github.com/mattermost/platform/utils" ) +var UNSAFE_CONTENT_TYPES = [...]string{ + "application/javascript", + "application/ecmascript", + "text/javascript", + "text/ecmascript", + "application/x-javascript", + "text/html", +} + func InitFile() { l4g.Debug(utils.T("api.file.init.debug")) @@ -282,13 +292,21 @@ func getPublicFileOld(c *Context, w http.ResponseWriter, r *http.Request) { func writeFileResponse(filename string, contentType string, bytes []byte, w http.ResponseWriter, r *http.Request) *model.AppError { w.Header().Set("Cache-Control", "max-age=2592000, private") w.Header().Set("Content-Length", strconv.Itoa(len(bytes))) + w.Header().Set("X-Content-Type-Options", "nosniff") - if contentType != "" { - w.Header().Set("Content-Type", contentType) + if contentType == "" { + contentType = "application/octet-stream" } else { - w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer + for _, unsafeContentType := range UNSAFE_CONTENT_TYPES { + if strings.HasPrefix(contentType, unsafeContentType) { + contentType = "text/plain" + break + } + } } + w.Header().Set("Content-Type", contentType) + w.Header().Set("Content-Disposition", "attachment;filename=\""+filename+"\"; filename*=UTF-8''"+url.QueryEscape(filename)) // prevent file links from being embedded in iframes diff --git a/api/oauth.go b/api/oauth.go index 84d30ee61..a239e889b 100644 --- a/api/oauth.go +++ b/api/oauth.go @@ -157,7 +157,7 @@ func loginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { return } - if authUrl, err := app.GetOAuthLoginEndpoint(service, teamId, model.OAUTH_ACTION_LOGIN, redirectTo, loginHint); err != nil { + if authUrl, err := app.GetOAuthLoginEndpoint(w, r, service, teamId, model.OAUTH_ACTION_LOGIN, redirectTo, loginHint); err != nil { c.Err = err return } else { @@ -180,7 +180,7 @@ func signupWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { return } - if authUrl, err := app.GetOAuthSignupEndpoint(service, teamId); err != nil { + if authUrl, err := app.GetOAuthSignupEndpoint(w, r, service, teamId); err != nil { c.Err = err return } else { diff --git a/api/user.go b/api/user.go index eb249cb39..0b2fbfba8 100644 --- a/api/user.go +++ b/api/user.go @@ -866,7 +866,7 @@ func emailToOAuth(c *Context, w http.ResponseWriter, r *http.Request) { return } - link, err := app.SwitchEmailToOAuth(email, password, mfaToken, service) + link, err := app.SwitchEmailToOAuth(w, r, email, password, mfaToken, service) if err != nil { c.Err = err return |