diff options
author | friendica <info@friendica.com> | 2014-02-09 15:00:47 -0800 |
---|---|---|
committer | friendica <info@friendica.com> | 2014-02-09 15:00:47 -0800 |
commit | b58baa5e4a80657f7b0c7848f16fd12714e4a11a (patch) | |
tree | 7a1b9503f5af95785e0fe0eb7e8eaa4e01723997 /mod/attach.php | |
parent | b92f00587b8791b5aea20ae2dc390b084c8ca444 (diff) | |
download | volse-hubzilla-b58baa5e4a80657f7b0c7848f16fd12714e4a11a.tar.gz volse-hubzilla-b58baa5e4a80657f7b0c7848f16fd12714e4a11a.tar.bz2 volse-hubzilla-b58baa5e4a80657f7b0c7848f16fd12714e4a11a.zip |
more XSS blockage of uploaded files
Diffstat (limited to 'mod/attach.php')
-rw-r--r-- | mod/attach.php | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/mod/attach.php b/mod/attach.php index d0d3296e1..cf72d09c6 100644 --- a/mod/attach.php +++ b/mod/attach.php @@ -24,7 +24,16 @@ function attach_init(&$a) { if(! $c) return; - header('Content-type: ' . $r['data']['filetype']); + + $unsafe_types = array('text/html','text/css','application/javascript'); + + if(in_array($r['data']['filetype'],$unsafe_types)) { + header('Content-type: text/plain'); + } + else { + header('Content-type: ' . $r['data']['filetype']); + } + header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"'); if($r['data']['flags'] & ATTACH_FLAG_OS ) { $istream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb'); |