mirror of
https://github.com/friendica/friendica
synced 2024-06-14 14:46:26 +02:00
Prevent pass-through for attachments
- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload
This commit is contained in:
parent
aeffcc0ae3
commit
9892513744
|
@ -65,11 +65,7 @@ class Attach extends BaseModule
|
|||
// error in Chrome for filenames with commas in them
|
||||
header('Content-type: ' . $item['filetype']);
|
||||
header('Content-length: ' . $item['filesize']);
|
||||
if (isset($_GET['attachment']) && $_GET['attachment'] === '0') {
|
||||
header('Content-disposition: filename="' . $item['filename'] . '"');
|
||||
} else {
|
||||
header('Content-disposition: attachment; filename="' . $item['filename'] . '"');
|
||||
}
|
||||
|
||||
echo $data;
|
||||
System::exit();
|
||||
|
|
Loading…
Reference in a new issue