extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2025-01-11 00:18:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

mitigate risk of html downloads by using Content-Security-Policy header or Content-Disposition: attachment for IE

Browse Source
This commit is contained in:
Ralf Becker 2013-09-12 18:49:07 +00:00
parent eec0972bc0
commit b8341e48a1
1 changed files with 16 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
phpgwapi/inc/class.vfs_webdav_server.inc.php
View File

@ -666,17 +666,27 @@ class vfs_webdav_server extends HTTP_WebDAV_Server_Filesystem
{
return $this->autoindex($options);
}
if (($ok = parent::GET($options)) && $this->force_download)
if (($ok = parent::GET($options)))
{
if(html::$user_agent == 'msie' && html::$ua_version < 9.0)
// mitigate risk of html downloads by using CSP or force download for IE
if (!$this->force_download && in_array($options['mimetype'], array('text/html', 'application/xhtml+xml')))
{
$attachment = '';
if (html::$user_agent == 'msie') // according to http://caniuse.com/contentsecuritypolicy not supported in IE
{
$this->force_download = true;
}
else
{
$csp = "script-src 'none'"; // forbid to execute any javascript
header("Content-Security-Policy: $csp");
header("X-Webkit-CSP: $csp"); // Chrome: <= 24, Safari incl. iOS
header("X-Content-Security-Policy: $csp"); // FF <= 22
}
}
else
if ($this->force_download)
{
$attachment = ' attachment;';
header('Content-disposition: attachment; filename="'.egw_vfs::basename($options['path']).'"');
}
header('Content-disposition:'.$attachment.' filename="'.egw_vfs::basename($options['path']).'"');
}
return $ok;
}