aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2014-02-09 14:56:52 -0800
committerfriendica <info@friendica.com>2014-02-09 14:56:52 -0800
commitb92f00587b8791b5aea20ae2dc390b084c8ca444 (patch)
tree669b883681502399c7e2378c42cb9ce533b0bc9c
parent66e7d182d499a7a8a854f64fb4c4746c283bef4a (diff)
downloadvolse-hubzilla-b92f00587b8791b5aea20ae2dc390b084c8ca444.tar.gz
volse-hubzilla-b92f00587b8791b5aea20ae2dc390b084c8ca444.tar.bz2
volse-hubzilla-b92f00587b8791b5aea20ae2dc390b084c8ca444.zip
don't allow the browser to open uploaded html/css/js
-rw-r--r--include/reddav.php13
1 files changed, 12 insertions, 1 deletions
diff --git a/include/reddav.php b/include/reddav.php
index af79a0db1..63d073d2a 100644
--- a/include/reddav.php
+++ b/include/reddav.php
@@ -443,11 +443,18 @@ class RedFile extends DAV\Node implements DAV\IFile {
function get() {
logger('RedFile::get: ' . basename($this->name), LOGGER_DEBUG);
- $r = q("select data, flags from attach where hash = '%s' and uid = %d limit 1",
+ $r = q("select data, flags, filename, filetype from attach where hash = '%s' and uid = %d limit 1",
dbesc($this->data['hash']),
intval($this->data['uid'])
);
if($r) {
+ $unsafe_types = array('text/html','text/css','application/javascript');
+
+ if(in_array($r[0]['filetype'],$unsafe_types)) {
+ header('Content-disposition: attachment; filename="' . $r[0]['filename'] . '"');
+ header('Content-type: text/plain');
+ }
+
if($r[0]['flags'] & ATTACH_FLAG_OS ) {
$f = 'store/' . $this->auth->owner_nick . '/' . (($this->os_path) ? $this->os_path . '/' : '') . $r[0]['data'];
return fopen($f,'rb');
@@ -463,6 +470,10 @@ class RedFile extends DAV\Node implements DAV\IFile {
function getContentType() {
+ $unsafe_types = array('text/html','text/css','application/javascript');
+ if(in_array($this->data['filetype'],$unsafe_types)) {
+ return 'text/plain';
+ }
return $this->data['filetype'];
}