[Fusionforge-commits] FusionForge branch Branch_5_1 updated. 46457e98aba26896b26e30d734ba720984074091

Thorsten Glaser mirabilos at fusionforge.org
Tue Jun 3 14:10:53 CEST 2014


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".

The branch, Branch_5_1 has been updated
       via  46457e98aba26896b26e30d734ba720984074091 (commit)
      from  df97e563496f56ee8a9fa296ce43690c50de9228 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 46457e98aba26896b26e30d734ba720984074091
Author: Thorsten Glaser <t.glaser at tarent.de>
Date:   Tue Jun 3 14:10:11 2014 +0200

    plug XSS-with-CSP-bypass by always serving files as binary
    
    instead of using the content-type the browser gave us during the upload

diff --git a/src/www/tracker/download.php b/src/www/tracker/download.php
index 31b722e..1768edc 100644
--- a/src/www/tracker/download.php
+++ b/src/www/tracker/download.php
@@ -59,7 +59,9 @@ if (!$ah || !is_object($ah)) {
 		exit_error($afh->getErrorMessage(),'tracker');
 	} else {
 		Header ('Content-disposition: filename="'.str_replace('"', '', $afh->getName()).'"');
-		Header ("Content-type: ".$afh->getType());
+		/* SECURITY: do not serve as $afh->getType() but application/octet-stream */
+		header('X-Content-Type-Options: nosniff');
+		header('Content-Type: application/octet-stream');
 		echo $afh->getData();
 	}
 }

-----------------------------------------------------------------------

Summary of changes:
 src/www/tracker/download.php |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)


hooks/post-receive
-- 
FusionForge



More information about the Fusionforge-commits mailing list