Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Use local file type when serving attachments
This should prevent XSS issues when a malicious attachment is uploaded with a forged content-type header
  • Loading branch information
Alanaktion committed Mar 12, 2022
1 parent c9c95fe commit 798453f
Showing 1 changed file with 7 additions and 6 deletions.
13 changes: 7 additions & 6 deletions app/controller/files.php
Expand Up @@ -240,21 +240,22 @@ public function file($f3, $params)
}

$force = true;
$type = mime_content_type($file->disk_filename);
if (
substr($file->content_type, 0, 5) == "image" ||
$file->content_type == "text/plain" ||
$file->content_type == "application/pdf" ||
in_array($file->content_type, ['video/mp4', 'video/webm'])
substr($type, 0, 5) == "image" ||
$type == "text/plain" ||
$type == "application/pdf" ||
in_array($type, ['video/mp4', 'video/webm'])
) {
$force = false;
}

// Force download of SVG images
if ($file->content_type == 'image/svg+xml') {
if ($type == 'image/svg+xml') {
$force = true;
}

if (!$this->_sendFile($file->disk_filename, $file->content_type, $file->filename, $force)) {
if (!$this->_sendFile($file->disk_filename, $type, $file->filename, $force)) {
$f3->error(404);
}
}
Expand Down

0 comments on commit 798453f

Please sign in to comment.