From b92f00587b8791b5aea20ae2dc390b084c8ca444 Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Sun, 9 Feb 2014 14:56:52 -0800
Subject: don't allow the browser to open uploaded html/css/js

---
 include/reddav.php | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'include/reddav.php')

diff --git a/include/reddav.php b/include/reddav.php
index af79a0db1..63d073d2a 100644
--- a/include/reddav.php
+++ b/include/reddav.php
@@ -443,11 +443,18 @@ class RedFile extends DAV\Node implements DAV\IFile {
 	function get() {
 		logger('RedFile::get: ' . basename($this->name), LOGGER_DEBUG);
 
-		$r = q("select data, flags from attach where hash = '%s' and uid = %d limit 1",
+		$r = q("select data, flags, filename, filetype from attach where hash = '%s' and uid = %d limit 1",
 			dbesc($this->data['hash']),
 			intval($this->data['uid'])
 		);
 		if($r) {
+			$unsafe_types = array('text/html','text/css','application/javascript');
+
+			if(in_array($r[0]['filetype'],$unsafe_types)) {
+				header('Content-disposition: attachment; filename="' . $r[0]['filename'] . '"');
+				header('Content-type: text/plain');
+			}
+
 			if($r[0]['flags'] & ATTACH_FLAG_OS ) {
 				$f = 'store/' . $this->auth->owner_nick . '/' . (($this->os_path) ? $this->os_path . '/' : '') . $r[0]['data'];
 				return fopen($f,'rb');
@@ -463,6 +470,10 @@ class RedFile extends DAV\Node implements DAV\IFile {
 
 
 	function getContentType() {
+		$unsafe_types = array('text/html','text/css','application/javascript');
+		if(in_array($this->data['filetype'],$unsafe_types)) {
+			return 'text/plain';
+		}
 		return $this->data['filetype'];
 	}
 
-- 
cgit v1.2.3