-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should use secure mimetypes instead of generic ones for download routes #347
Comments
Or alternative is to add a check if the item in question is in fact a image/* mimetype, also add a check to verify if SVG support is enabled. That said here one needs to ensure that there is no potential race condition vector :) (User adds file as image, user requests file and check succeeds since mimetype is an image, user modifies file to a JS file, JS file is served) |
Should be a quick fix as there is already a method which gives me the list of supported media types: AFAIK, there would be only one extra step required, which is to change the type for SVGs. Sounds like a plan? |
👍 |
It's more complicated than I initially thought, because we still need to show the downloaded SVG in the browser for the slideshow per example. It's not just to store it away. |
I'd do the following: -> If SVG support is enabled use SVG as mimetype it was anyways advertised as potentially insecure. For everything else use the secure mimetype. |
Yeah, I'll try that. I was successful in using base64, but it doesn't work for the slideshow on the Files side: |
Native SVG support can only be determined by parsing the config every time a download/preview is requested, so I'll just add an extra parameter to the I'll also restrict the type of files which can be served from the endpoints. It will be limited to the media types Gallery supports. |
|
See owncloud/core#10938 for reasoning
This should use a secure mimetype alternative instead of
application/javascript
. Such as via\OC::$server->getMimeTypeDetector()->getSecureMimeType()
.The text was updated successfully, but these errors were encountered: