Fix unsafe hotserving behaviour for multimedia uploads. (#3113)

Return multimedia with a disposition type of attachment instead of
inline. NVT#1548992

Signed-off-by: Josh Qou [jqou@icloud.com](mailto:jqou@icloud.com)

Co-authored-by: Jon <haddock.05.roast@icloud.com>
This commit is contained in:
Josh Qou 2023-06-15 12:28:34 +01:00 committed by GitHub
parent 8cf6c381e2
commit 420e7ec81f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -341,6 +341,7 @@ func (r *downloadRequest) addDownloadFilenameToHeaders(
} }
if len(filename) == 0 { if len(filename) == 0 {
w.Header().Set("Content-Disposition", "attachment")
return nil return nil
} }
@ -376,13 +377,13 @@ func (r *downloadRequest) addDownloadFilenameToHeaders(
// that would otherwise be parsed as a control character in the // that would otherwise be parsed as a control character in the
// Content-Disposition header // Content-Disposition header
w.Header().Set("Content-Disposition", fmt.Sprintf( w.Header().Set("Content-Disposition", fmt.Sprintf(
`inline; filename=%s%s%s`, `attachment; filename=%s%s%s`,
quote, unescaped, quote, quote, unescaped, quote,
)) ))
} else { } else {
// For UTF-8 filenames, we quote always, as that's the standard // For UTF-8 filenames, we quote always, as that's the standard
w.Header().Set("Content-Disposition", fmt.Sprintf( w.Header().Set("Content-Disposition", fmt.Sprintf(
`inline; filename*=utf-8''%s`, `attachment; filename*=utf-8''%s`,
url.QueryEscape(unescaped), url.QueryEscape(unescaped),
)) ))
} }