mirror of
https://github.com/matrix-org/dendrite.git
synced 2024-11-26 00:01:55 -06:00
Fix unsafe hotserving behaviour for multimedia uploads. (#3113)
Return multimedia with a disposition type of attachment instead of inline. NVT#1548992 Signed-off-by: Josh Qou [jqou@icloud.com](mailto:jqou@icloud.com) Co-authored-by: Jon <haddock.05.roast@icloud.com>
This commit is contained in:
parent
8cf6c381e2
commit
420e7ec81f
|
@ -341,6 +341,7 @@ func (r *downloadRequest) addDownloadFilenameToHeaders(
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(filename) == 0 {
|
if len(filename) == 0 {
|
||||||
|
w.Header().Set("Content-Disposition", "attachment")
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -376,13 +377,13 @@ func (r *downloadRequest) addDownloadFilenameToHeaders(
|
||||||
// that would otherwise be parsed as a control character in the
|
// that would otherwise be parsed as a control character in the
|
||||||
// Content-Disposition header
|
// Content-Disposition header
|
||||||
w.Header().Set("Content-Disposition", fmt.Sprintf(
|
w.Header().Set("Content-Disposition", fmt.Sprintf(
|
||||||
`inline; filename=%s%s%s`,
|
`attachment; filename=%s%s%s`,
|
||||||
quote, unescaped, quote,
|
quote, unescaped, quote,
|
||||||
))
|
))
|
||||||
} else {
|
} else {
|
||||||
// For UTF-8 filenames, we quote always, as that's the standard
|
// For UTF-8 filenames, we quote always, as that's the standard
|
||||||
w.Header().Set("Content-Disposition", fmt.Sprintf(
|
w.Header().Set("Content-Disposition", fmt.Sprintf(
|
||||||
`inline; filename*=utf-8''%s`,
|
`attachment; filename*=utf-8''%s`,
|
||||||
url.QueryEscape(unescaped),
|
url.QueryEscape(unescaped),
|
||||||
))
|
))
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue