Fixed downloading of image files (#6934)

* Fixed downloading of image files

* Fixed captitalization

* Fixed missing import

* Rename image to media

1 files changed, 21 insertions, 3 deletions

diff --git a/api/file.go b/api/file.go
index 1e7c7d66d..3b49be5e0 100644
--- a/api/file.go
+++ b/api/file.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 
 	l4g "github.com/alecthomas/log4go"
 	"github.com/gorilla/mux"
@@ -15,6 +16,15 @@ import (
 	"github.com/mattermost/platform/utils"
 )
 
+var UNSAFE_CONTENT_TYPES = [...]string{
+	"application/javascript",
+	"application/ecmascript",
+	"text/javascript",
+	"text/ecmascript",
+	"application/x-javascript",
+	"text/html",
+}
+
 func InitFile() {
 	l4g.Debug(utils.T("api.file.init.debug"))
 
@@ -282,13 +292,21 @@ func getPublicFileOld(c *Context, w http.ResponseWriter, r *http.Request) {
 func writeFileResponse(filename string, contentType string, bytes []byte, w http.ResponseWriter, r *http.Request) *model.AppError {
 	w.Header().Set("Cache-Control", "max-age=2592000, private")
 	w.Header().Set("Content-Length", strconv.Itoa(len(bytes)))
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 
-	if contentType != "" {
-		w.Header().Set("Content-Type", contentType)
+	if contentType == "" {
+		contentType = "application/octet-stream"
 	} else {
-		w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer
+		for _, unsafeContentType := range UNSAFE_CONTENT_TYPES {
+			if strings.HasPrefix(contentType, unsafeContentType) {
+				contentType = "text/plain"
+				break
+			}
+		}
 	}
 
+	w.Header().Set("Content-Type", contentType)
+
 	w.Header().Set("Content-Disposition", "attachment;filename=\""+filename+"\"; filename*=UTF-8''"+url.QueryEscape(filename))
 
 	// prevent file links from being embedded in iframes