From a20ddb40476837f8686d9f73b449920f4e465d4a Mon Sep 17 00:00:00 2001 From: Harrison Healey Date: Fri, 14 Jul 2017 14:42:08 -0400 Subject: Fixed downloading of image files (#6934) * Fixed downloading of image files * Fixed captitalization * Fixed missing import * Rename image to media --- api4/file.go | 93 ++++++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 62 insertions(+), 31 deletions(-) (limited to 'api4') diff --git a/api4/file.go b/api4/file.go index a395fff65..4b39a1812 100644 --- a/api4/file.go +++ b/api4/file.go @@ -7,6 +7,7 @@ import ( "net/http" "net/url" "strconv" + "strings" l4g "github.com/alecthomas/log4go" "github.com/mattermost/platform/app" @@ -18,6 +19,27 @@ const ( FILE_TEAM_ID = "noteam" ) +var UNSAFE_CONTENT_TYPES = [...]string{ + "application/javascript", + "application/ecmascript", + "text/javascript", + "text/ecmascript", + "application/x-javascript", + "text/html", +} + +var MEDIA_CONTENT_TYPES = [...]string{ + "image/jpeg", + "image/png", + "image/bmp", + "image/gif", + "video/avi", + "video/mpeg", + "video/mp4", + "audio/mpeg", + "audio/wav", +} + func InitFile() { l4g.Debug(utils.T("api.file.init.debug")) @@ -82,9 +104,9 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) { return } - toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download")) - if failConv != nil { - toDownload = false + forceDownload, convErr := strconv.ParseBool(r.URL.Query().Get("download")) + if convErr != nil { + forceDownload = false } info, err := app.GetFileInfo(c.Params.FileId) @@ -105,22 +127,7 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) { return } - contentTypeToCheck := []string{"image/jpeg", "image/png", "image/bmp", "image/gif", - "video/avi", "video/mpeg", "audio/mpeg3", "audio/wav"} - - contentType := http.DetectContentType(data) - foundContentType := false - for _, contentTypeFromList := range contentTypeToCheck { - if contentType == contentTypeFromList && toDownload == false { - foundContentType = true - break - } - } - if !foundContentType { - toDownload = true - } - - err = writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r) + err = writeFileResponse(info.Name, info.MimeType, data, forceDownload, w, r) if err != nil { c.Err = err return @@ -133,9 +140,9 @@ func getFileThumbnail(c *Context, w http.ResponseWriter, r *http.Request) { return } - toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download")) - if failConv != nil { - toDownload = false + forceDownload, convErr := strconv.ParseBool(r.URL.Query().Get("download")) + if convErr != nil { + forceDownload = false } info, err := app.GetFileInfo(c.Params.FileId) @@ -158,7 +165,7 @@ func getFileThumbnail(c *Context, w http.ResponseWriter, r *http.Request) { if data, err := app.ReadFile(info.ThumbnailPath); err != nil { c.Err = err c.Err.StatusCode = http.StatusNotFound - } else if err := writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r); err != nil { + } else if err := writeFileResponse(info.Name, info.MimeType, data, forceDownload, w, r); err != nil { c.Err = err return } @@ -205,9 +212,9 @@ func getFilePreview(c *Context, w http.ResponseWriter, r *http.Request) { return } - toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download")) - if failConv != nil { - toDownload = false + forceDownload, convErr := strconv.ParseBool(r.URL.Query().Get("download")) + if convErr != nil { + forceDownload = false } info, err := app.GetFileInfo(c.Params.FileId) @@ -230,7 +237,7 @@ func getFilePreview(c *Context, w http.ResponseWriter, r *http.Request) { if data, err := app.ReadFile(info.PreviewPath); err != nil { c.Err = err c.Err.StatusCode = http.StatusNotFound - } else if err := writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r); err != nil { + } else if err := writeFileResponse(info.Name, info.MimeType, data, forceDownload, w, r); err != nil { c.Err = err return } @@ -298,14 +305,38 @@ func getPublicFile(c *Context, w http.ResponseWriter, r *http.Request) { } } -func writeFileResponse(filename string, contentType string, bytes []byte, toDownload bool, w http.ResponseWriter, r *http.Request) *model.AppError { +func writeFileResponse(filename string, contentType string, bytes []byte, forceDownload bool, w http.ResponseWriter, r *http.Request) *model.AppError { w.Header().Set("Cache-Control", "max-age=2592000, private") w.Header().Set("Content-Length", strconv.Itoa(len(bytes))) + w.Header().Set("X-Content-Type-Options", "nosniff") - if contentType != "" { - w.Header().Set("Content-Type", contentType) + if contentType == "" { + contentType = "application/octet-stream" } else { - w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer + for _, unsafeContentType := range UNSAFE_CONTENT_TYPES { + if strings.HasPrefix(contentType, unsafeContentType) { + contentType = "text/plain" + break + } + } + } + + w.Header().Set("Content-Type", contentType) + + var toDownload bool + if forceDownload { + toDownload = true + } else { + isMediaType := false + + for _, mediaContentType := range MEDIA_CONTENT_TYPES { + if strings.HasPrefix(contentType, mediaContentType) { + isMediaType = true + break + } + } + + toDownload = !isMediaType } if toDownload { -- cgit v1.2.3-1-g7c22