extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-10-06 10:02:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

mitigate risk of html downloads by using Content-Security-Policy header or Content-Disposition: attachment for IE

Browse Source
This commit is contained in:
Ralf Becker 2013-09-12 18:49:07 +00:00
parent eec0972bc0
commit b8341e48a1
1 changed files with 16 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
phpgwapi/inc/class.vfs_webdav_server.inc.php
View File

@ -666,17 +666,27 @@ class vfs_webdav_server extends HTTP_WebDAV_Server_Filesystem
{ {
return $this->autoindex($options); return $this->autoindex($options);
} }
if (($ok = parent::GET($options)) && $this->force_download) if (($ok = parent::GET($options)))
{ {
if(html::$user_agent == 'msie' && html::$ua_version < 9.0) // mitigate risk of html downloads by using CSP or force download for IE
if (!$this->force_download && in_array($options['mimetype'], array('text/html', 'application/xhtml+xml')))
{ {
$attachment = ''; if (html::$user_agent == 'msie') // according to http://caniuse.com/contentsecuritypolicy not supported in IE
{
$this->force_download = true;
} }
else else
{ {
$attachment = ' attachment;'; $csp = "script-src 'none'"; // forbid to execute any javascript
header("Content-Security-Policy: $csp");
header("X-Webkit-CSP: $csp"); // Chrome: <= 24, Safari incl. iOS
header("X-Content-Security-Policy: $csp"); // FF <= 22
}
}
if ($this->force_download)
{
header('Content-disposition: attachment; filename="'.egw_vfs::basename($options['path']).'"');
} }
header('Content-disposition:'.$attachment.' filename="'.egw_vfs::basename($options['path']).'"');
} }
return $ok; return $ok;
} }