From 3803750fb189880eb4c4b6d41fdca1e6f162b116 Mon Sep 17 00:00:00 2001
From: Harrison Healey <harrisonmhealey@gmail.com>
Date: Fri, 8 Apr 2016 18:06:35 -0400
Subject: Changed getFile api call to always attach headers

---
 api/file.go                           | 25 +++++++++++++------------
 config/config.json                    |  2 +-
 webapp/components/file_attachment.jsx |  2 +-
 webapp/components/view_image.jsx      |  2 +-
 webapp/utils/utils.jsx                |  5 ++---
 5 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/api/file.go b/api/file.go
index 19f69052d..ee9703455 100644
--- a/api/file.go
+++ b/api/file.go
@@ -379,7 +379,6 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) {
 	hash := r.URL.Query().Get("h")
 	data := r.URL.Query().Get("d")
 	teamId := r.URL.Query().Get("t")
-	isDownload := r.URL.Query().Get("download") == "1"
 
 	cchan := Srv.Store.Channel().CheckPermissionsTo(c.Session.TeamId, channelId, c.Session.UserId)
 
@@ -419,21 +418,23 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Length", strconv.Itoa(len(f)))
 	w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer
 
-	if isDownload {
-		// attach extra headers to trigger a download on IE, Edge, and Safari
-		ua := user_agent.New(r.UserAgent())
-		bname, _ := ua.Browser()
+	// attach extra headers to trigger a download on IE, Edge, and Safari
+	ua := user_agent.New(r.UserAgent())
+	bname, _ := ua.Browser()
 
-		parts := strings.Split(filename, "/")
-		filePart := strings.Split(parts[len(parts)-1], "?")[0]
-		w.Header().Set("Content-Disposition", "attachment;filename=\""+filePart+"\"")
+	parts := strings.Split(filename, "/")
+	filePart := strings.Split(parts[len(parts)-1], "?")[0]
+	w.Header().Set("Content-Disposition", "attachment;filename=\""+filePart+"\"")
 
-		if bname == "Edge" || bname == "Internet Explorer" || bname == "Safari" {
-			// trim off anything before the final / so we just get the file's name
-			w.Header().Set("Content-Type", "application/octet-stream")
-		}
+	if bname == "Edge" || bname == "Internet Explorer" || bname == "Safari" {
+		// trim off anything before the final / so we just get the file's name
+		w.Header().Set("Content-Type", "application/octet-stream")
 	}
 
+	// prevent file links from being embedded in iframes
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("Content-Security-Policy", "Frame-ancestors 'none'")
+
 	w.Write(f)
 }
 
diff --git a/config/config.json b/config/config.json
index d5f82674f..11627df70 100644
--- a/config/config.json
+++ b/config/config.json
@@ -54,7 +54,7 @@
     "FileSettings": {
         "DriverName": "local",
         "Directory": "./data/",
-        "EnablePublicLink": true,
+        "EnablePublicLink": false,
         "PublicLinkSalt": "A705AklYF8MFDOfcwh3I488G8vtLlVip",
         "ThumbnailWidth": 120,
         "ThumbnailHeight": 100,
diff --git a/webapp/components/file_attachment.jsx b/webapp/components/file_attachment.jsx
index 6253e17e1..ccd4070aa 100644
--- a/webapp/components/file_attachment.jsx
+++ b/webapp/components/file_attachment.jsx
@@ -130,7 +130,7 @@ class FileAttachment extends React.Component {
         var filename = this.props.filename;
 
         var fileInfo = utils.splitFileLocation(filename);
-        var fileUrl = utils.getFileUrl(filename, true);
+        var fileUrl = utils.getFileUrl(filename);
         var type = utils.getFileType(fileInfo.ext);
 
         var thumbnail;
diff --git a/webapp/components/view_image.jsx b/webapp/components/view_image.jsx
index 7572f88ae..3d3107d92 100644
--- a/webapp/components/view_image.jsx
+++ b/webapp/components/view_image.jsx
@@ -228,7 +228,7 @@ class ViewImageModal extends React.Component {
         }
 
         const filename = this.props.filenames[this.state.imgId];
-        const fileUrl = Utils.getFileUrl(filename, true);
+        const fileUrl = Utils.getFileUrl(filename);
 
         var content;
         if (this.state.loaded[this.state.imgId]) {
diff --git a/webapp/utils/utils.jsx b/webapp/utils/utils.jsx
index a70666e2d..ac373d638 100644
--- a/webapp/utils/utils.jsx
+++ b/webapp/utils/utils.jsx
@@ -1110,9 +1110,8 @@ export function fileSizeToString(bytes) {
 }
 
 // Converts a filename (like those attached to Post objects) to a url that can be used to retrieve attachments from the server.
-export function getFileUrl(filename, isDownload) {
-    const downloadParam = isDownload ? '?download=1' : '';
-    return getWindowLocationOrigin() + '/api/v1/files/get' + filename + downloadParam;
+export function getFileUrl(filename) {
+    return getWindowLocationOrigin() + '/api/v1/files/get' + filename;
 }
 
 // Gets the name of a file (including extension) from a given url or file path.
-- 
cgit v1.2.3-1-g7c22