From 1d6168f457c7b51213518d1a8f19da150b289810 Mon Sep 17 00:00:00 2001 From: shortcutme Date: Thu, 6 Jul 2017 00:09:05 +0200 Subject: [PATCH] Download, svg, xml, flash, pdf files instead of displaying to avoid js execution --- src/Ui/UiRequest.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py index 336a55f3..b075d6a9 100644 --- a/src/Ui/UiRequest.py +++ b/src/Ui/UiRequest.py @@ -182,6 +182,10 @@ class UiRequest(object): if content_type == "text/plain": content_type = "text/plain; charset=utf-8" + # Download instead of display file types that can be dangerous + if re.findall("/svg|/xml|/x-shockwave-flash|/pdf", content_type): + headers.append(("Content-Disposition", "attachment")) + cacheable_type = ( content_type == "text/css" or content_type.startswith("image") or content_type.startswith("video") or self.env["REQUEST_METHOD"] == "OPTIONS" or content_type == "application/javascript"