aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/reddav.php13
-rw-r--r--mod/attach.php11
2 files changed, 22 insertions, 2 deletions
diff --git a/include/reddav.php b/include/reddav.php
index af79a0db1..63d073d2a 100644
--- a/include/reddav.php
+++ b/include/reddav.php
@@ -443,11 +443,18 @@ class RedFile extends DAV\Node implements DAV\IFile {
function get() {
logger('RedFile::get: ' . basename($this->name), LOGGER_DEBUG);
- $r = q("select data, flags from attach where hash = '%s' and uid = %d limit 1",
+ $r = q("select data, flags, filename, filetype from attach where hash = '%s' and uid = %d limit 1",
dbesc($this->data['hash']),
intval($this->data['uid'])
);
if($r) {
+ $unsafe_types = array('text/html','text/css','application/javascript');
+
+ if(in_array($r[0]['filetype'],$unsafe_types)) {
+ header('Content-disposition: attachment; filename="' . $r[0]['filename'] . '"');
+ header('Content-type: text/plain');
+ }
+
if($r[0]['flags'] & ATTACH_FLAG_OS ) {
$f = 'store/' . $this->auth->owner_nick . '/' . (($this->os_path) ? $this->os_path . '/' : '') . $r[0]['data'];
return fopen($f,'rb');
@@ -463,6 +470,10 @@ class RedFile extends DAV\Node implements DAV\IFile {
function getContentType() {
+ $unsafe_types = array('text/html','text/css','application/javascript');
+ if(in_array($this->data['filetype'],$unsafe_types)) {
+ return 'text/plain';
+ }
return $this->data['filetype'];
}
diff --git a/mod/attach.php b/mod/attach.php
index d0d3296e1..cf72d09c6 100644
--- a/mod/attach.php
+++ b/mod/attach.php
@@ -24,7 +24,16 @@ function attach_init(&$a) {
if(! $c)
return;
- header('Content-type: ' . $r['data']['filetype']);
+
+ $unsafe_types = array('text/html','text/css','application/javascript');
+
+ if(in_array($r['data']['filetype'],$unsafe_types)) {
+ header('Content-type: text/plain');
+ }
+ else {
+ header('Content-type: ' . $r['data']['filetype']);
+ }
+
header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"');
if($r['data']['flags'] & ATTACH_FLAG_OS ) {
$istream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb');
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-06 03:57:49 +0000