oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Download, svg, xml, flash, pdf files instead of displaying to avoid js execution

Browse source
This commit is contained in:
shortcutme 2017-07-06 00:09:05 +02:00
parent 2a161f4421
commit 1d6168f457
No known key found for this signature in database
GPG key ID: 5B63BAE6CB9613AE
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/Ui/UiRequest.py
View file

@ -182,6 +182,10 @@ class UiRequest(object):
if content_type == "text/plain":
content_type = "text/plain; charset=utf-8"
# Download instead of display file types that can be dangerous
if re.findall("/svg|/xml|/x-shockwave-flash|/pdf", content_type):
headers.append(("Content-Disposition", "attachment"))
cacheable_type = (
content_type == "text/css" or content_type.startswith("image") or content_type.startswith("video") or
self.env["REQUEST_METHOD"] == "OPTIONS" or content_type == "application/javascript"