github-mirror/BookStack
2
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-06-05 09:34:37 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Added safe mime sniffing to prevent serving HTML

Browse Source 
(Amoung other content types)
For #3027
This commit is contained in:
Dan Brown
2021-10-31 17:58:56 +00:00
parent 5c834f24a6
commit ae155d6745
3 changed files with 106 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
tests/Uploads/AttachmentTest.php
View File

@ -9,6 +9,7 @@ use BookStack\Uploads\Attachment;
use BookStack\Uploads\AttachmentService;
use Illuminate\Http\UploadedFile;
use Tests\TestCase;
use Tests\TestResponse;
class AttachmentTest extends TestCase
{
@ -44,6 +45,20 @@ class AttachmentTest extends TestCase
return Attachment::query()->latest()->first();
}
/**
* Create a new upload attachment from the given data.
*/
protected function createUploadAttachment(Page $page, string $filename, string $content, string $mimeType): Attachment
{
$file = tmpfile();
$filePath = stream_get_meta_data($file)['uri'];
file_put_contents($filePath, $content);
$upload = new UploadedFile($filePath, $filename, $mimeType, null, true);
$this->call('POST', '/attachments/upload', ['uploaded_to' => $page->id], [], ['file' => $upload], []);
return $page->attachments()->latest()->firstOrFail();
}
/**
* Delete all uploaded files.
* To assist with cleanup.
@ -305,7 +320,24 @@ class AttachmentTest extends TestCase
// http-foundation/Response does some 'fixing' of responses to add charsets to text responses.
$attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');
$attachmentGet->assertHeader('Content-Disposition', 'inline; filename="upload_test_file.txt"');
$attachmentGet->assertHeader('X-Content-Type-Options', 'nosniff');
$this->deleteUploads();
}
public function test_html_file_access_with_open_forces_plain_content_type()
{
$page = Page::query()->first();
$this->asAdmin();
$attachment = $this->createUploadAttachment($page, 'test_file.html', '<html></html><p>testing</p>', 'text/html');
$attachmentGet = $this->get($attachment->getUrl(true));
// http-foundation/Response does some 'fixing' of responses to add charsets to text responses.
$attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');
$attachmentGet->assertHeader('Content-Disposition', 'inline; filename="test_file.html"');
$this->deleteUploads();
}
}