diff options
author | Josh Qou <97894002+joshqou@users.noreply.github.com> | 2023-06-15 12:28:34 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-06-15 12:28:34 +0100 |
commit | 420e7ec81fedf9ff531c75ece4c80a9b63046ba9 (patch) | |
tree | 7780013d8f27f4a6fd6c66c15b0e55b0086a5969 | |
parent | 8cf6c381e21d0710f0290c97dfa5616036749a81 (diff) |
Fix unsafe hotserving behaviour for multimedia uploads. (#3113)
Return multimedia with a disposition type of attachment instead of
inline. NVT#1548992
Signed-off-by: Josh Qou [jqou@icloud.com](mailto:jqou@icloud.com)
Co-authored-by: Jon <haddock.05.roast@icloud.com>
-rw-r--r-- | mediaapi/routing/download.go | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/mediaapi/routing/download.go b/mediaapi/routing/download.go index e9f161a3..8fb1b653 100644 --- a/mediaapi/routing/download.go +++ b/mediaapi/routing/download.go @@ -341,6 +341,7 @@ func (r *downloadRequest) addDownloadFilenameToHeaders( } if len(filename) == 0 { + w.Header().Set("Content-Disposition", "attachment") return nil } @@ -376,13 +377,13 @@ func (r *downloadRequest) addDownloadFilenameToHeaders( // that would otherwise be parsed as a control character in the // Content-Disposition header w.Header().Set("Content-Disposition", fmt.Sprintf( - `inline; filename=%s%s%s`, + `attachment; filename=%s%s%s`, quote, unescaped, quote, )) } else { // For UTF-8 filenames, we quote always, as that's the standard w.Header().Set("Content-Disposition", fmt.Sprintf( - `inline; filename*=utf-8''%s`, + `attachment; filename*=utf-8''%s`, url.QueryEscape(unescaped), )) } |