From b58baa5e4a80657f7b0c7848f16fd12714e4a11a Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Sun, 9 Feb 2014 15:00:47 -0800
Subject: more XSS blockage of uploaded files

---
 mod/attach.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'mod/attach.php')

diff --git a/mod/attach.php b/mod/attach.php
index d0d3296e1..cf72d09c6 100644
--- a/mod/attach.php
+++ b/mod/attach.php
@@ -24,7 +24,16 @@ function attach_init(&$a) {
 	if(! $c)
 		return;
 
-	header('Content-type: ' . $r['data']['filetype']);
+
+	$unsafe_types = array('text/html','text/css','application/javascript');
+
+	if(in_array($r['data']['filetype'],$unsafe_types)) {
+			header('Content-type: text/plain');
+	}
+	else {
+		header('Content-type: ' . $r['data']['filetype']);
+	}
+
 	header('Content-disposition: attachment; filename="' . $r['data']['filename'] . '"');
 	if($r['data']['flags'] & ATTACH_FLAG_OS ) {
 		$istream = fopen('store/' . $c[0]['channel_address'] . '/' . $r['data']['data'],'rb');
-- 
cgit v1.2.3