Merge pull request #1 from friendica/master

Update this fork

1 files changed, 28 insertions, 5 deletions

diff --git a/mod/attach.php b/mod/attach.php
index a5f9d1a6b..cf72d09c6 100644
--- a/mod/attach.php
+++ b/mod/attach.php
@@ -17,12 +17,35 @@ function attach_init(&$a) {
 		return;
 	}
 
-	header('Content-type: ' . $r['data']['filetype']);
-	header('Content-disposition: attachment; filename=' . $r['data']['filename']);
-	if($r['data']['flags'] & ATTACH_FLAG_OS )
-		echo @file_get_contents($r['data']['data']);
+	$c = q("select channel_address from channel where channel_id = %d limit 1",
+		intval($r['data']['uid'])
+	);
+
+	if(! $c)
+		return;
+
+
+	$unsafe_types = array('text/html','text/css','application/javascript');
+
+	if(in_array($r['data']['filetype'],$unsafe_types)) {
+			header('Content-type: text/plain');
+	}
+	else {
+		header('Content-type: ' . $r['data']['filetype']);
+	}
+
+	header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"');
+	if($r['data']['flags'] & ATTACH_FLAG_OS ) {
+		$istream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb');
+		$ostream = fopen('php://output','wb');
+		if($istream && $ostream) {
+			pipe_streams($istream,$ostream);
+			fclose($istream);
+			fclose($ostream);
+		}
+	}
 	else
 		echo $r['data']['data'];
 	killme();
 
-}
\ No newline at end of file
+}