friendica
/
friendica
mirror of https://github.com/friendica/friendica
6
0
Fork 1
Code Issues Packages Projects Releases 1 Wiki Activity

Prevent pass-through for attachments 

- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload
This commit is contained in:
Hypolite Petovan 2024-02-21 22:14:05 -05:00
parent aeffcc0ae3
commit 9892513744
1 changed files with 1 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/Module/Attach.php
View File

@ -65,11 +65,7 @@ class Attach extends BaseModule
// error in Chrome for filenames with commas in them
header('Content-type: ' . $item['filetype']);
header('Content-length: ' . $item['filesize']);
if (isset($_GET['attachment']) && $_GET['attachment'] === '0') {
header('Content-disposition: filename="' . $item['filename'] . '"');
} else {
header('Content-disposition: attachment; filename="' . $item['filename'] . '"');
}
header('Content-disposition: attachment; filename="' . $item['filename'] . '"');
echo $data;
System::exit();