SECURITY: Ensure only image uploads can be inlined

This prevents malicious files (for example special crafted XMLs) to be used in XSS attacks.
2024-12-15 04:13:40 +08:00 · 2019-12-11 15:21:41 +02:00 · 2019-12-11 15:21:41 +02:00 · 554b0f366d
commit 554b0f366d
parent 43ddb6b36d
2 changed files with 15 additions and 3 deletions
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@ -195,10 +195,10 @@ class UploadsController < ApplicationController
      content_type: MiniMime.lookup_by_filename(upload.original_filename)&.content_type
    }

-    if params[:inline]
-      opts[:disposition] = "inline"
-    elsif !FileHelper.is_supported_image?(upload.original_filename)
+    if !FileHelper.is_supported_image?(upload.original_filename)
      opts[:disposition] = "attachment"
+    elsif params[:inline]
+      opts[:disposition] = "inline"
    end

    file_path = Discourse.store.path_for(upload)
--- a/spec/requests/uploads_controller_spec.rb
+++ b/spec/requests/uploads_controller_spec.rb
@ -296,6 +296,18 @@ describe UploadsController do
  end

  describe "#show_short" do
+    it 'inlines only supported image files' do
+      upload = upload_file("smallest.png")
+      get upload.short_path, params: { inline: true }
+      expect(response.header['Content-Type']).to eq('image/png')
+      expect(response.header['Content-Disposition']).to include('inline;')
+
+      upload.update!(original_filename: "test.xml")
+      get upload.short_path, params: { inline: true }
+      expect(response.header['Content-Type']).to eq('application/xml')
+      expect(response.header['Content-Disposition']).to include('attachment;')
+    end
+
    describe "local store" do
      fab!(:image_upload) { upload_file("smallest.png") }