github-mirror/BookStack
2
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-06-20 20:31:25 +08:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Added safe mime sniffing to prevent serving HTML

Browse Source 
(Amoung other content types)
For #3027
This commit is contained in:
Dan Brown
2021-10-31 17:58:56 +00:00
parent 5c834f24a6
commit ae155d6745
3 changed files with 106 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
app/Http/Controllers/Controller.php
View File

@ -5,6 +5,7 @@ namespace BookStack\Http\Controllers;
use BookStack\Facades\Activity;
use BookStack\Interfaces\Loggable;
use BookStack\Model;
use BookStack\Util\WebSafeMimeSniffer;
use finfo;
use Illuminate\Foundation\Bus\DispatchesJobs;
use Illuminate\Foundation\Validation\ValidatesRequests;
@ -117,8 +118,9 @@ abstract class Controller extends BaseController
protected function downloadResponse(string $content, string $fileName): Response
{
return response()->make($content, 200, [
'Content-Type' => 'application/octet-stream',
'Content-Disposition' => 'attachment; filename="' . $fileName . '"',
'Content-Type' => 'application/octet-stream',
'Content-Disposition' => 'attachment; filename="' . $fileName . '"',
'X-Content-Type-Options' => 'nosniff',
]);
}
@ -128,12 +130,13 @@ abstract class Controller extends BaseController
*/
protected function inlineDownloadResponse(string $content, string $fileName): Response
{
$finfo = new finfo(FILEINFO_MIME_TYPE);
$mime = $finfo->buffer($content) ?: 'application/octet-stream';
$mime = (new WebSafeMimeSniffer)->sniff($content);
return response()->make($content, 200, [
'Content-Type' => $mime,
'Content-Disposition' => 'inline; filename="' . $fileName . '"',
'Content-Type' => $mime,
'Content-Disposition' => 'inline; filename="' . $fileName . '"',
'X-Content-Type-Options' => 'nosniff',
]);
}