Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-02 03:55:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: #10845, disallow inline viewing of uploaded html files

Browse Source
This commit is contained in:
Julian Lam
2022-08-17 21:48:02 -04:00
parent ba7a3466b2
commit 4dc7fa050f
2 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/middleware/index.js
View File

@@ -214,12 +214,13 @@ middleware.buildSkinAsset = helpers.try(async (req, res, next) => {
res.status(200).type('text/css').send(css); res.status(200).type('text/css').send(css);
}); });
middleware.trimUploadTimestamps = function trimUploadTimestamps(req, res, next) { middleware.addUploadHeaders = function addUploadHeaders(req, res, next) {
// Check match // Trim uploaded files' timestamps when downloading + force download if html
let basename = path.basename(req.path); let basename = path.basename(req.path);
const extname = path.extname(req.path);
if (req.path.startsWith('/uploads/files/') && middleware.regexes.timestampedUpload.test(basename)) { if (req.path.startsWith('/uploads/files/') && middleware.regexes.timestampedUpload.test(basename)) {
basename = basename.slice(14); basename = basename.slice(14);
res.header('Content-Disposition', `inline; filename="${basename}"`); res.header('Content-Disposition', `${extname.startsWith('.htm') ? 'attachment' : 'inline'}; filename="${basename}"`);
} }
next(); next();

2
src/routes/index.js
View File

@@ -182,7 +182,7 @@ function addCoreRoutes(app, router, middleware, mounts) {
} }
statics.forEach((obj) => { statics.forEach((obj) => {
app.use(relativePath + obj.route, middleware.trimUploadTimestamps, express.static(obj.path, staticOptions)); app.use(relativePath + obj.route, middleware.addUploadHeaders, express.static(obj.path, staticOptions));
}); });
app.use(`${relativePath}/uploads`, (req, res) => { app.use(`${relativePath}/uploads`, (req, res) => {
res.redirect(`${relativePath}/assets/uploads${req.path}?${meta.config['cache-buster']}`); res.redirect(`${relativePath}/assets/uploads${req.path}?${meta.config['cache-buster']}`);