From a20ddb40476837f8686d9f73b449920f4e465d4a Mon Sep 17 00:00:00 2001 From: Harrison Healey Date: Fri, 14 Jul 2017 14:42:08 -0400 Subject: Fixed downloading of image files (#6934) * Fixed downloading of image files * Fixed captitalization * Fixed missing import * Rename image to media --- api/file.go | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) (limited to 'api') diff --git a/api/file.go b/api/file.go index 1e7c7d66d..3b49be5e0 100644 --- a/api/file.go +++ b/api/file.go @@ -7,6 +7,7 @@ import ( "net/http" "net/url" "strconv" + "strings" l4g "github.com/alecthomas/log4go" "github.com/gorilla/mux" @@ -15,6 +16,15 @@ import ( "github.com/mattermost/platform/utils" ) +var UNSAFE_CONTENT_TYPES = [...]string{ + "application/javascript", + "application/ecmascript", + "text/javascript", + "text/ecmascript", + "application/x-javascript", + "text/html", +} + func InitFile() { l4g.Debug(utils.T("api.file.init.debug")) @@ -282,13 +292,21 @@ func getPublicFileOld(c *Context, w http.ResponseWriter, r *http.Request) { func writeFileResponse(filename string, contentType string, bytes []byte, w http.ResponseWriter, r *http.Request) *model.AppError { w.Header().Set("Cache-Control", "max-age=2592000, private") w.Header().Set("Content-Length", strconv.Itoa(len(bytes))) + w.Header().Set("X-Content-Type-Options", "nosniff") - if contentType != "" { - w.Header().Set("Content-Type", contentType) + if contentType == "" { + contentType = "application/octet-stream" } else { - w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer + for _, unsafeContentType := range UNSAFE_CONTENT_TYPES { + if strings.HasPrefix(contentType, unsafeContentType) { + contentType = "text/plain" + break + } + } } + w.Header().Set("Content-Type", contentType) + w.Header().Set("Content-Disposition", "attachment;filename=\""+filename+"\"; filename*=UTF-8''"+url.QueryEscape(filename)) // prevent file links from being embedded in iframes -- cgit v1.2.3-1-g7c22