mirror of
https://github.com/discourse/discourse.git
synced 2025-01-18 17:12:45 +08:00
SECURITY: Ensure only image uploads can be inlined
This prevents malicious files (for example special crafted XMLs) to be used in XSS attacks.
This commit is contained in:
parent
dc6b02f050
commit
adfa793731
|
@ -207,10 +207,10 @@ class UploadsController < ApplicationController
|
|||
content_type: MiniMime.lookup_by_filename(upload.original_filename)&.content_type
|
||||
}
|
||||
|
||||
if params[:inline]
|
||||
opts[:disposition] = "inline"
|
||||
elsif !FileHelper.is_supported_image?(upload.original_filename)
|
||||
if !FileHelper.is_supported_image?(upload.original_filename)
|
||||
opts[:disposition] = "attachment"
|
||||
elsif params[:inline]
|
||||
opts[:disposition] = "inline"
|
||||
end
|
||||
|
||||
file_path = Discourse.store.path_for(upload)
|
||||
|
|
|
@ -305,6 +305,18 @@ describe UploadsController do
|
|||
end
|
||||
|
||||
describe "#show_short" do
|
||||
it 'inlines only supported image files' do
|
||||
upload = upload_file("smallest.png")
|
||||
get upload.short_path, params: { inline: true }
|
||||
expect(response.header['Content-Type']).to eq('image/png')
|
||||
expect(response.header['Content-Disposition']).to include('inline;')
|
||||
|
||||
upload.update!(original_filename: "test.xml")
|
||||
get upload.short_path, params: { inline: true }
|
||||
expect(response.header['Content-Type']).to eq('application/xml')
|
||||
expect(response.header['Content-Disposition']).to include('attachment;')
|
||||
end
|
||||
|
||||
describe "local store" do
|
||||
fab!(:image_upload) { upload_file("smallest.png") }
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user