From 3803750fb189880eb4c4b6d41fdca1e6f162b116 Mon Sep 17 00:00:00 2001 From: Harrison Healey Date: Fri, 8 Apr 2016 18:06:35 -0400 Subject: Changed getFile api call to always attach headers --- api/file.go | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) (limited to 'api') diff --git a/api/file.go b/api/file.go index 19f69052d..ee9703455 100644 --- a/api/file.go +++ b/api/file.go @@ -379,7 +379,6 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) { hash := r.URL.Query().Get("h") data := r.URL.Query().Get("d") teamId := r.URL.Query().Get("t") - isDownload := r.URL.Query().Get("download") == "1" cchan := Srv.Store.Channel().CheckPermissionsTo(c.Session.TeamId, channelId, c.Session.UserId) @@ -419,21 +418,23 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Length", strconv.Itoa(len(f))) w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer - if isDownload { - // attach extra headers to trigger a download on IE, Edge, and Safari - ua := user_agent.New(r.UserAgent()) - bname, _ := ua.Browser() + // attach extra headers to trigger a download on IE, Edge, and Safari + ua := user_agent.New(r.UserAgent()) + bname, _ := ua.Browser() - parts := strings.Split(filename, "/") - filePart := strings.Split(parts[len(parts)-1], "?")[0] - w.Header().Set("Content-Disposition", "attachment;filename=\""+filePart+"\"") + parts := strings.Split(filename, "/") + filePart := strings.Split(parts[len(parts)-1], "?")[0] + w.Header().Set("Content-Disposition", "attachment;filename=\""+filePart+"\"") - if bname == "Edge" || bname == "Internet Explorer" || bname == "Safari" { - // trim off anything before the final / so we just get the file's name - w.Header().Set("Content-Type", "application/octet-stream") - } + if bname == "Edge" || bname == "Internet Explorer" || bname == "Safari" { + // trim off anything before the final / so we just get the file's name + w.Header().Set("Content-Type", "application/octet-stream") } + // prevent file links from being embedded in iframes + w.Header().Set("X-Frame-Options", "DENY") + w.Header().Set("Content-Security-Policy", "Frame-ancestors 'none'") + w.Write(f) } -- cgit v1.2.3-1-g7c22