Fix unsafe hotserving behaviour for multimedia uploads. (#3113)

Return multimedia with a disposition type of attachment instead of inline. NVT#1548992 Signed-off-by: Josh Qou [jqou@icloud.com](mailto:jqou@icloud.com) Co-authored-by: Jon <haddock.05.roast@icloud.com>
author: Josh Qou <97894002+joshqou@users.noreply.github.com> 2023-06-15 12:28:34 +0100
committer: GitHub <noreply@github.com> 2023-06-15 12:28:34 +0100
commit: 420e7ec81fedf9ff531c75ece4c80a9b63046ba9 (patch)
tree: 7780013d8f27f4a6fd6c66c15b0e55b0086a5969 /mediaapi
parent: 8cf6c381e21d0710f0290c97dfa5616036749a81 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/mediaapi/routing/download.go b/mediaapi/routing/download.go
index e9f161a3..8fb1b653 100644
--- a/mediaapi/routing/download.go
+++ b/mediaapi/routing/download.go
@@ -341,6 +341,7 @@ func (r *downloadRequest) addDownloadFilenameToHeaders(
 	}
 
 	if len(filename) == 0 {
+		w.Header().Set("Content-Disposition", "attachment")
 		return nil
 	}
 
@@ -376,13 +377,13 @@ func (r *downloadRequest) addDownloadFilenameToHeaders(
 		// that would otherwise be parsed as a control character in the
 		// Content-Disposition header
 		w.Header().Set("Content-Disposition", fmt.Sprintf(
-			`inline; filename=%s%s%s`,
+			`attachment; filename=%s%s%s`,
 			quote, unescaped, quote,
 		))
 	} else {
 		// For UTF-8 filenames, we quote always, as that's the standard
 		w.Header().Set("Content-Disposition", fmt.Sprintf(
-			`inline; filename*=utf-8''%s`,
+			`attachment; filename*=utf-8''%s`,
 			url.QueryEscape(unescaped),
 		))
 	}
author	Josh Qou <97894002+joshqou@users.noreply.github.com>	2023-06-15 12:28:34 +0100
committer	GitHub <noreply@github.com>	2023-06-15 12:28:34 +0100
commit	420e7ec81fedf9ff531c75ece4c80a9b63046ba9 (patch)
tree	7780013d8f27f4a6fd6c66c15b0e55b0086a5969 /mediaapi
parent	8cf6c381e21d0710f0290c97dfa5616036749a81 (diff)