holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

only modify js&css files for "real" browsers identified by existing of HTTP_REFERER, to return false data to WebDAV clients eg. used for backup

Browse Source
This commit is contained in:
Ralf Becker 2014-07-17 07:34:06 +00:00
parent 07a036b5f4
commit 258def8344
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
phpgwapi/inc/class.vfs_webdav_server.inc.php
View File

@ -682,13 +682,14 @@ class vfs_webdav_server extends HTTP_WebDAV_Server_Filesystem
} }
// for the rest we change mime-type to text/html and let code below handle it safely // for the rest we change mime-type to text/html and let code below handle it safely
// this stops Safari and Firefox from using it as src attribute in a script tag // this stops Safari and Firefox from using it as src attribute in a script tag
else // but only for "real" browsers, we dont want to modify data for our WebDAV clients
elseif (isset($_SERVER['HTTP_REFERER']))
{ {
$options['mimetype'] = 'text/html'; $options['mimetype'] = 'text/html';
$options['data'] = '<pre>'.fread($options['stream'], $options['length']); $options['data'] = '<pre>'.fread($options['stream'], $options['size']);
$options['size'] += 5;
fclose($options['stream']); fclose($options['stream']);
unset($options['stream']); unset($options['stream']);
$options['size'] += 4;
} }
} }
// mitigate risk of html downloads by using CSP or force download for IE // mitigate risk of html downloads by using CSP or force download for IE