Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-rc8c-v7rq-q392
Stored XSS in upload files
  • Loading branch information
PierreRambaud committed Sep 24, 2020
2 parents 562a231 + 224d16f commit 2cfcd33
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 0 deletions.
5 changes: 5 additions & 0 deletions classes/Tools.php
Expand Up @@ -2646,6 +2646,11 @@ public static function generateHtaccess($path = null, $rewrite_settings = null,
<FilesMatch \"\.(ttf|ttc|otf|eot|woff|woff2|svg)$\">
Header set Access-Control-Allow-Origin \"*\"
</FilesMatch>
<FilesMatch \"\.pdf$\">
Header set Content-Disposition \"Attachment\"
Header set X-Content-Type-Options \"nosniff\"
</FilesMatch>
</IfModule>\n\n");
fwrite($write_fd, "<Files composer.lock>
# Apache 2.2
Expand Down
5 changes: 5 additions & 0 deletions upload/.htaccess
Expand Up @@ -5,3 +5,8 @@
<IfModule mod_php5.c>
php_flag engine off
</IfModule>

<IfModule mod_headers.c>
Header set Content-Disposition "Attachment"
Header set X-Content-Type-Options "nosniff"
</IfModule>

0 comments on commit 2cfcd33

Please sign in to comment.