Fixed downloading of image files (#6934)

* Fixed downloading of image files * Fixed captitalization * Fixed missing import * Rename image to media
2025-02-25 18:55:24 -06:00 · 2017-07-14 14:42:08 -04:00
parent 22d34476e5
commit a20ddb4047
2 changed files with 83 additions and 34 deletions
--- a/api/file.go
+++ b/api/file.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"

 	l4g "github.com/alecthomas/log4go"
 	"github.com/gorilla/mux"
@@ -15,6 +16,15 @@ import (
 	"github.com/mattermost/platform/utils"
 )

+var UNSAFE_CONTENT_TYPES = [...]string{
+	"application/javascript",
+	"application/ecmascript",
+	"text/javascript",
+	"text/ecmascript",
+	"application/x-javascript",
+	"text/html",
+}
+
 func InitFile() {
 	l4g.Debug(utils.T("api.file.init.debug"))

@@ -282,13 +292,21 @@ func getPublicFileOld(c *Context, w http.ResponseWriter, r *http.Request) {
 func writeFileResponse(filename string, contentType string, bytes []byte, w http.ResponseWriter, r *http.Request) *model.AppError {
 	w.Header().Set("Cache-Control", "max-age=2592000, private")
 	w.Header().Set("Content-Length", strconv.Itoa(len(bytes)))
+	w.Header().Set("X-Content-Type-Options", "nosniff")

-	if contentType != "" {
-		w.Header().Set("Content-Type", contentType)
+	if contentType == "" {
+		contentType = "application/octet-stream"
 	} else {
-		w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer
+		for _, unsafeContentType := range UNSAFE_CONTENT_TYPES {
+			if strings.HasPrefix(contentType, unsafeContentType) {
+				contentType = "text/plain"
+				break
+			}
+		}
 	}

+	w.Header().Set("Content-Type", contentType)
+
 	w.Header().Set("Content-Disposition", "attachment;filename=\""+filename+"\"; filename*=UTF-8''"+url.QueryEscape(filename))

 	// prevent file links from being embedded in iframes