Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Force to download SVG files to prevent security problems.
------
Forzamos a descargar los archivos SVG para evitar problemas de seguridad.
  • Loading branch information
NeoRazorX committed Apr 28, 2022
1 parent 73a6595 commit 1d1edb4
Showing 1 changed file with 19 additions and 10 deletions.
29 changes: 19 additions & 10 deletions Core/App/AppRouter.php
Expand Up @@ -127,8 +127,7 @@ public function getFile(): bool
$allowedFolders = ['node_modules', 'vendor', 'Dinamic', 'Core', 'Plugins', 'MyFiles/Public'];
foreach ($allowedFolders as $folder) {
if ('/' . $folder === substr($uri, 0, 1 + strlen($folder))) {
header('Content-Type: ' . $this->getMime($filePath));
readfile($filePath);
$this->download($filePath);
return true;
}
}
Expand All @@ -137,14 +136,7 @@ public function getFile(): bool
$token = filter_input(INPUT_GET, 'myft');
$fixedFilePath = substr(urldecode($uri), 1);
if ('/MyFiles/' === substr($uri, 0, 9) && $token && MyFilesToken::validate($fixedFilePath, $token)) {
header('Content-Type: ' . $this->getMime($filePath));

// disable the buffer if enabled
if (ob_get_contents()) {
ob_end_flush();
}

readfile($filePath);
$this->download($filePath);
return true;
}

Expand Down Expand Up @@ -205,6 +197,23 @@ private function deploy()
}
}

private function download(string $filePath)
{
header('Content-Type: ' . $this->getMime($filePath));

// disable the buffer if enabled
if (ob_get_contents()) {
ob_end_flush();
}

// force to download svg files to prevent XSS attacks
if (strpos($filePath, '.svg') !== false) {
header('Content-Disposition: attachment; filename="' . basename($filePath) . '"');
}

readfile($filePath);
}

/**
* Return the mime type from given file.
*
Expand Down

0 comments on commit 1d1edb4

Please sign in to comment.