diff options
| -rw-r--r-- | api/file.go | 25 | ||||
| -rw-r--r-- | config/config.json | 2 | ||||
| -rw-r--r-- | webapp/components/file_attachment.jsx | 2 | ||||
| -rw-r--r-- | webapp/components/view_image.jsx | 2 | ||||
| -rw-r--r-- | webapp/utils/utils.jsx | 5 |
5 files changed, 18 insertions, 18 deletions
diff --git a/api/file.go b/api/file.go index 19f69052d..ee9703455 100644 --- a/api/file.go +++ b/api/file.go @@ -379,7 +379,6 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) { hash := r.URL.Query().Get("h") data := r.URL.Query().Get("d") teamId := r.URL.Query().Get("t") - isDownload := r.URL.Query().Get("download") == "1" cchan := Srv.Store.Channel().CheckPermissionsTo(c.Session.TeamId, channelId, c.Session.UserId) @@ -419,21 +418,23 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Length", strconv.Itoa(len(f))) w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer - if isDownload { - // attach extra headers to trigger a download on IE, Edge, and Safari - ua := user_agent.New(r.UserAgent()) - bname, _ := ua.Browser() + // attach extra headers to trigger a download on IE, Edge, and Safari + ua := user_agent.New(r.UserAgent()) + bname, _ := ua.Browser() - parts := strings.Split(filename, "/") - filePart := strings.Split(parts[len(parts)-1], "?")[0] - w.Header().Set("Content-Disposition", "attachment;filename=\""+filePart+"\"") + parts := strings.Split(filename, "/") + filePart := strings.Split(parts[len(parts)-1], "?")[0] + w.Header().Set("Content-Disposition", "attachment;filename=\""+filePart+"\"") - if bname == "Edge" || bname == "Internet Explorer" || bname == "Safari" { - // trim off anything before the final / so we just get the file's name - w.Header().Set("Content-Type", "application/octet-stream") - } + if bname == "Edge" || bname == "Internet Explorer" || bname == "Safari" { + // trim off anything before the final / so we just get the file's name + w.Header().Set("Content-Type", "application/octet-stream") } + // prevent file links from being embedded in iframes + w.Header().Set("X-Frame-Options", "DENY") + w.Header().Set("Content-Security-Policy", "Frame-ancestors 'none'") + w.Write(f) } diff --git a/config/config.json b/config/config.json index d5f82674f..11627df70 100644 --- a/config/config.json +++ b/config/config.json @@ -54,7 +54,7 @@ "FileSettings": { "DriverName": "local", "Directory": "./data/", - "EnablePublicLink": true, + "EnablePublicLink": false, "PublicLinkSalt": "A705AklYF8MFDOfcwh3I488G8vtLlVip", "ThumbnailWidth": 120, "ThumbnailHeight": 100, diff --git a/webapp/components/file_attachment.jsx b/webapp/components/file_attachment.jsx index 6253e17e1..ccd4070aa 100644 --- a/webapp/components/file_attachment.jsx +++ b/webapp/components/file_attachment.jsx @@ -130,7 +130,7 @@ class FileAttachment extends React.Component { var filename = this.props.filename; var fileInfo = utils.splitFileLocation(filename); - var fileUrl = utils.getFileUrl(filename, true); + var fileUrl = utils.getFileUrl(filename); var type = utils.getFileType(fileInfo.ext); var thumbnail; diff --git a/webapp/components/view_image.jsx b/webapp/components/view_image.jsx index 7572f88ae..3d3107d92 100644 --- a/webapp/components/view_image.jsx +++ b/webapp/components/view_image.jsx @@ -228,7 +228,7 @@ class ViewImageModal extends React.Component { } const filename = this.props.filenames[this.state.imgId]; - const fileUrl = Utils.getFileUrl(filename, true); + const fileUrl = Utils.getFileUrl(filename); var content; if (this.state.loaded[this.state.imgId]) { diff --git a/webapp/utils/utils.jsx b/webapp/utils/utils.jsx index a70666e2d..ac373d638 100644 --- a/webapp/utils/utils.jsx +++ b/webapp/utils/utils.jsx @@ -1110,9 +1110,8 @@ export function fileSizeToString(bytes) { } // Converts a filename (like those attached to Post objects) to a url that can be used to retrieve attachments from the server. -export function getFileUrl(filename, isDownload) { - const downloadParam = isDownload ? '?download=1' : ''; - return getWindowLocationOrigin() + '/api/v1/files/get' + filename + downloadParam; +export function getFileUrl(filename) { + return getWindowLocationOrigin() + '/api/v1/files/get' + filename; } // Gets the name of a file (including extension) from a given url or file path. |