From 4cbb440bad29de8d2c02a0229165a1ef67ac6c80 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Thu, 17 Jul 2014 07:34:34 +0000 Subject: [PATCH] only modify js&css files for "real" browsers identified by existing of HTTP_REFERER, to return false data to WebDAV clients eg. used for backup --- phpgwapi/inc/class.vfs_webdav_server.inc.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/phpgwapi/inc/class.vfs_webdav_server.inc.php b/phpgwapi/inc/class.vfs_webdav_server.inc.php index 8f67b1bb1e..062b24f78e 100644 --- a/phpgwapi/inc/class.vfs_webdav_server.inc.php +++ b/phpgwapi/inc/class.vfs_webdav_server.inc.php @@ -682,13 +682,14 @@ class vfs_webdav_server extends HTTP_WebDAV_Server_Filesystem } // for the rest we change mime-type to text/html and let code below handle it safely // this stops Safari and Firefox from using it as src attribute in a script tag - else + // but only for "real" browsers, we dont want to modify data for our WebDAV clients + elseif (isset($_SERVER['HTTP_REFERER'])) { $options['mimetype'] = 'text/html'; - $options['data'] = '
'.fread($options['stream'], $options['length']);
+					$options['data'] = '
'.fread($options['stream'], $options['size']);
+					$options['size'] += 5;
 					fclose($options['stream']);
 					unset($options['stream']);
-					$options['size'] += 4;
 				}
 			}
 			// mitigate risk of html downloads by using CSP or force download for IE