This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".
The branch, Branch_5_1 has been updated
via 46457e98aba26896b26e30d734ba720984074091 (commit)
from df97e563496f56ee8a9fa296ce43690c50de9228 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 46457e98aba26896b26e30d734ba720984074091
Author: Thorsten Glaser <[email protected]>
Date: Tue Jun 3 14:10:11 2014 +0200
plug XSS-with-CSP-bypass by always serving files as binary
instead of using the content-type the browser gave us during the upload
diff --git a/src/www/tracker/download.php b/src/www/tracker/download.php
index 31b722e..1768edc 100644
--- a/src/www/tracker/download.php
+++ b/src/www/tracker/download.php
@@ -59,7 +59,9 @@ if (!$ah || !is_object($ah)) {
exit_error($afh->getErrorMessage(),'tracker');
} else {
Header ('Content-disposition: filename="'.str_replace('"', '',
$afh->getName()).'"');
- Header ("Content-type: ".$afh->getType());
+ /* SECURITY: do not serve as $afh->getType() but
application/octet-stream */
+ header('X-Content-Type-Options: nosniff');
+ header('Content-Type: application/octet-stream');
echo $afh->getData();
}
}
-----------------------------------------------------------------------
Summary of changes:
src/www/tracker/download.php | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
hooks/post-receive
--
FusionForge
_______________________________________________
Fusionforge-commits mailing list
[email protected]
http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-commits
