From 1b86239cadcf0e7045387635f1fc9d5d39418ac5 Mon Sep 17 00:00:00 2001
From: lethanhphuc <31820707+noobpk@users.noreply.github.com>
Date: Tue, 9 Nov 2021 17:06:13 +0700
Subject: [PATCH] Fix bug allowing to execute arbitrary javascript in SVG files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add CSP header

Closes #1251

Bug Disclosure: https://huntr.dev/bounties/253ebdad-a593-425a-bb91-20da8f3fbae9/
Signed-off-by: Elan Ruusamäe <glen@pld-linux.org>
---
 CHANGELOG.md               | 1 +
 lib/eventum/class.misc.php | 1 +
 2 files changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 214e846ded..49262893c1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 See [Upgrading] for details on how to upgrade.
 
 - Fix `sort_by` not being filtered in search form, #1252
+- Fix bug allowing to execute arbitrary JavaScript in SVG files, #1252
 
 [3.10.8]: https://github.com/eventum/eventum/compare/v3.10.7...master
 
diff --git a/lib/eventum/class.misc.php b/lib/eventum/class.misc.php
index f776a0d092..74619b3874 100644
--- a/lib/eventum/class.misc.php
+++ b/lib/eventum/class.misc.php
@@ -636,6 +636,7 @@ public static function outputDownload($data, $filename, $filesize, $filetype, $f
         header('Content-Type: ' . $filetype);
         header("Content-Disposition: {$disposition}; filename=\"{$filename}\"; filename*=UTF-8''{$filename}");
         header("Content-Length: {$filesize}");
+        header("Content-Security-Policy: script-src 'none'");
         echo $data;
         exit;
     }