aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJosh Qou <97894002+joshqou@users.noreply.github.com>2023-06-15 12:28:34 +0100
committerGitHub <noreply@github.com>2023-06-15 12:28:34 +0100
commit420e7ec81fedf9ff531c75ece4c80a9b63046ba9 (patch)
tree7780013d8f27f4a6fd6c66c15b0e55b0086a5969
parent8cf6c381e21d0710f0290c97dfa5616036749a81 (diff)
Fix unsafe hotserving behaviour for multimedia uploads. (#3113)
Return multimedia with a disposition type of attachment instead of inline. NVT#1548992 Signed-off-by: Josh Qou [jqou@icloud.com](mailto:jqou@icloud.com) Co-authored-by: Jon <haddock.05.roast@icloud.com>
-rw-r--r--mediaapi/routing/download.go5
1 files changed, 3 insertions, 2 deletions
diff --git a/mediaapi/routing/download.go b/mediaapi/routing/download.go
index e9f161a3..8fb1b653 100644
--- a/mediaapi/routing/download.go
+++ b/mediaapi/routing/download.go
@@ -341,6 +341,7 @@ func (r *downloadRequest) addDownloadFilenameToHeaders(
}
if len(filename) == 0 {
+ w.Header().Set("Content-Disposition", "attachment")
return nil
}
@@ -376,13 +377,13 @@ func (r *downloadRequest) addDownloadFilenameToHeaders(
// that would otherwise be parsed as a control character in the
// Content-Disposition header
w.Header().Set("Content-Disposition", fmt.Sprintf(
- `inline; filename=%s%s%s`,
+ `attachment; filename=%s%s%s`,
quote, unescaped, quote,
))
} else {
// For UTF-8 filenames, we quote always, as that's the standard
w.Header().Set("Content-Disposition", fmt.Sprintf(
- `inline; filename*=utf-8''%s`,
+ `attachment; filename*=utf-8''%s`,
url.QueryEscape(unescaped),
))
}