friendica/friendica
6
0
Fork 1
mirror of https://github.com/friendica/friendica synced 2024-05-21 11:06:42 +02:00
Code Issues Packages Projects Releases 1 Wiki Activity

Prevent pass-through for attachments

Browse source 
- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload
This commit is contained in:
Hypolite Petovan 2024-02-21 22:14:05 -05:00
parent aeffcc0ae3
commit 9892513744
1 changed files with 1 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/Module/Attach.php
View file

@ -65,11 +65,7 @@ class Attach extends BaseModule
// error in Chrome for filenames with commas in them // error in Chrome for filenames with commas in them
header('Content-type: ' . $item['filetype']); header('Content-type: ' . $item['filetype']);
header('Content-length: ' . $item['filesize']); header('Content-length: ' . $item['filesize']);
if (isset($_GET['attachment']) && $_GET['attachment'] === '0') { header('Content-disposition: attachment; filename="' . $item['filename'] . '"');
header('Content-disposition: filename="' . $item['filename'] . '"');
} else {
header('Content-disposition: attachment; filename="' . $item['filename'] . '"');
}
echo $data; echo $data;
System::exit(); System::exit();