diff options
| author | friendica <info@friendica.com> | 2014-02-09 14:56:52 -0800 |
|---|---|---|
| committer | friendica <info@friendica.com> | 2014-02-09 14:56:52 -0800 |
| commit | b92f00587b8791b5aea20ae2dc390b084c8ca444 (patch) | |
| tree | 669b883681502399c7e2378c42cb9ce533b0bc9c | |
| parent | 66e7d182d499a7a8a854f64fb4c4746c283bef4a (diff) | |
| download | volse-hubzilla-b92f00587b8791b5aea20ae2dc390b084c8ca444.tar.gz volse-hubzilla-b92f00587b8791b5aea20ae2dc390b084c8ca444.tar.bz2 volse-hubzilla-b92f00587b8791b5aea20ae2dc390b084c8ca444.zip | |
don't allow the browser to open uploaded html/css/js
| -rw-r--r-- | include/reddav.php | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/include/reddav.php b/include/reddav.php index af79a0db1..63d073d2a 100644 --- a/include/reddav.php +++ b/include/reddav.php @@ -443,11 +443,18 @@ class RedFile extends DAV\Node implements DAV\IFile { function get() { logger('RedFile::get: ' . basename($this->name), LOGGER_DEBUG); - $r = q("select data, flags from attach where hash = '%s' and uid = %d limit 1", + $r = q("select data, flags, filename, filetype from attach where hash = '%s' and uid = %d limit 1", dbesc($this->data['hash']), intval($this->data['uid']) ); if($r) { + $unsafe_types = array('text/html','text/css','application/javascript'); + + if(in_array($r[0]['filetype'],$unsafe_types)) { + header('Content-disposition: attachment; filename="' . $r[0]['filename'] . '"'); + header('Content-type: text/plain'); + } + if($r[0]['flags'] & ATTACH_FLAG_OS ) { $f = 'store/' . $this->auth->owner_nick . '/' . (($this->os_path) ? $this->os_path . '/' : '') . $r[0]['data']; return fopen($f,'rb'); @@ -463,6 +470,10 @@ class RedFile extends DAV\Node implements DAV\IFile { function getContentType() { + $unsafe_types = array('text/html','text/css','application/javascript'); + if(in_array($this->data['filetype'],$unsafe_types)) { + return 'text/plain'; + } return $this->data['filetype']; } |