[jan] Fix XSS vulnerability in attachment download page (Reported by …

…Gh05tPT).
horde · Dec 17, 2019 · b5f2941 · b5f2941
1 parent ce08abf
commit b5f2941
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/doc/changelog.yml b/doc/changelog.yml
@@ -21,6 +21,7 @@
     identifier: GPL-2.0
     uri: http://www.horde.org/licenses/gpl
   notes: |
+    [jan] Fix XSS vulnerability in attachment download page (Reported by Gh05tPT).
     [mjr] Fix Array and string offset access syntax with curly braces (Remi Collet <remi@remirepo.net>, PR #1).
     [jan] Use .rst extension when exporting pages as ReST.
     [jan] Use correct MIME type when exporting pages as plain text or ReST.

diff --git a/lib/Application.php b/lib/Application.php
@@ -179,12 +179,13 @@ public function download(Horde_Variables $vars)
         }
 
         try {
-            $data = $wicked->getAttachmentContents($page_id, $vars->file, $version);
+            $data = $wicked->getAttachmentContents($page_id, basename($vars->file), (int)$version);
             $wicked->logAttachmentDownload($page_id, $vars->file);
         } catch (Wicked_Exception $e) {
             // If we redirect here, we cause an infinite loop with inline
             // attachments.
             header('HTTP/1.1 404 Not Found');
+            header('Content-Type: text/plain');
             echo $e->getMessage();
             exit;
         }