aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2014-02-09 15:00:47 -0800
committerfriendica <info@friendica.com>2014-02-09 15:00:47 -0800
commitb58baa5e4a80657f7b0c7848f16fd12714e4a11a (patch)
tree7a1b9503f5af95785e0fe0eb7e8eaa4e01723997
parentb92f00587b8791b5aea20ae2dc390b084c8ca444 (diff)
downloadvolse-hubzilla-b58baa5e4a80657f7b0c7848f16fd12714e4a11a.tar.gz
volse-hubzilla-b58baa5e4a80657f7b0c7848f16fd12714e4a11a.tar.bz2
volse-hubzilla-b58baa5e4a80657f7b0c7848f16fd12714e4a11a.zip
more XSS blockage of uploaded files
-rw-r--r--mod/attach.php11
1 files changed, 10 insertions, 1 deletions
diff --git a/mod/attach.php b/mod/attach.php
index d0d3296e1..cf72d09c6 100644
--- a/mod/attach.php
+++ b/mod/attach.php
@@ -24,7 +24,16 @@ function attach_init(&$a) {
if(! $c)
return;
- header('Content-type: ' . $r['data']['filetype']);
+
+ $unsafe_types = array('text/html','text/css','application/javascript');
+
+ if(in_array($r['data']['filetype'],$unsafe_types)) {
+ header('Content-type: text/plain');
+ }
+ else {
+ header('Content-type: ' . $r['data']['filetype']);
+ }
+
header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"');
if($r['data']['flags'] & ATTACH_FLAG_OS ) {
$istream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb');