yet another blueimp vulnerability. Move to composer.

2 files changed, 29 insertions, 0 deletions

diff --git a/vendor/blueimp/jquery-file-upload/server/php/files/.gitignore b/vendor/blueimp/jquery-file-upload/server/php/files/.gitignore
new file mode 100644
index 000000000..e24a60fae
--- /dev/null
+++ b/vendor/blueimp/jquery-file-upload/server/php/files/.gitignore
@@ -0,0 +1,3 @@
+*
+!.gitignore
+!.htaccess
diff --git a/vendor/blueimp/jquery-file-upload/server/php/files/.htaccess b/vendor/blueimp/jquery-file-upload/server/php/files/.htaccess
new file mode 100644
index 000000000..6f454afb9
--- /dev/null
+++ b/vendor/blueimp/jquery-file-upload/server/php/files/.htaccess
@@ -0,0 +1,26 @@
+# To enable the Headers module, execute the following command and reload Apache:
+# sudo a2enmod headers
+
+# The following directives prevent the execution of script files
+# in the context of the website.
+# They also force the content-type application/octet-stream and
+# force browsers to display a download dialog for non-image files.
+SetHandler default-handler
+ForceType application/octet-stream
+Header set Content-Disposition attachment
+
+# The following unsets the forced type and Content-Disposition headers
+# for known image files:
+<FilesMatch "(?i)\.(gif|jpe?g|png)$">
+	ForceType none
+	Header unset Content-Disposition
+</FilesMatch>
+
+# The following directive prevents browsers from MIME-sniffing the content-type.
+# This is an important complement to the ForceType directive above:
+Header set X-Content-Type-Options nosniff
+
+# Uncomment the following lines to prevent unauthorized download of files:
+#AuthName "Authorization required"
+#AuthType Basic
+#require valid-user