From 1d1edb40b40016d7fd2893b410b98569d7facca1 Mon Sep 17 00:00:00 2001 From: Carlos Garcia Gomez Date: Thu, 28 Apr 2022 11:55:32 +0200 Subject: [PATCH] Force to download SVG files to prevent security problems. ------ Forzamos a descargar los archivos SVG para evitar problemas de seguridad. --- Core/App/AppRouter.php | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/Core/App/AppRouter.php b/Core/App/AppRouter.php index 1eed63f833..1de2d09bc9 100644 --- a/Core/App/AppRouter.php +++ b/Core/App/AppRouter.php @@ -127,8 +127,7 @@ public function getFile(): bool $allowedFolders = ['node_modules', 'vendor', 'Dinamic', 'Core', 'Plugins', 'MyFiles/Public']; foreach ($allowedFolders as $folder) { if ('/' . $folder === substr($uri, 0, 1 + strlen($folder))) { - header('Content-Type: ' . $this->getMime($filePath)); - readfile($filePath); + $this->download($filePath); return true; } } @@ -137,14 +136,7 @@ public function getFile(): bool $token = filter_input(INPUT_GET, 'myft'); $fixedFilePath = substr(urldecode($uri), 1); if ('/MyFiles/' === substr($uri, 0, 9) && $token && MyFilesToken::validate($fixedFilePath, $token)) { - header('Content-Type: ' . $this->getMime($filePath)); - - // disable the buffer if enabled - if (ob_get_contents()) { - ob_end_flush(); - } - - readfile($filePath); + $this->download($filePath); return true; } @@ -205,6 +197,23 @@ private function deploy() } } + private function download(string $filePath) + { + header('Content-Type: ' . $this->getMime($filePath)); + + // disable the buffer if enabled + if (ob_get_contents()) { + ob_end_flush(); + } + + // force to download svg files to prevent XSS attacks + if (strpos($filePath, '.svg') !== false) { + header('Content-Disposition: attachment; filename="' . basename($filePath) . '"'); + } + + readfile($filePath); + } + /** * Return the mime type from given file. *