From b5f2941743bf9f6d59c66241ed99e2f647ebea90 Mon Sep 17 00:00:00 2001
From: Jan Schneider <jan@horde.org>
Date: Tue, 17 Dec 2019 22:24:50 +0100
Subject: [PATCH] [jan] Fix XSS vulnerability in attachment download page
 (Reported by Gh05tPT).

---
 doc/changelog.yml   | 1 +
 lib/Application.php | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/changelog.yml b/doc/changelog.yml
index 7aa0f2d..d14d608 100644
--- a/doc/changelog.yml
+++ b/doc/changelog.yml
@@ -21,6 +21,7 @@
     identifier: GPL-2.0
     uri: http://www.horde.org/licenses/gpl
   notes: |
+    [jan] Fix XSS vulnerability in attachment download page (Reported by Gh05tPT).
     [mjr] Fix Array and string offset access syntax with curly braces (Remi Collet <remi@remirepo.net>, PR #1).
     [jan] Use .rst extension when exporting pages as ReST.
     [jan] Use correct MIME type when exporting pages as plain text or ReST.
diff --git a/lib/Application.php b/lib/Application.php
index bd83a57..6a034b6 100644
--- a/lib/Application.php
+++ b/lib/Application.php
@@ -179,12 +179,13 @@ public function download(Horde_Variables $vars)
         }
 
         try {
-            $data = $wicked->getAttachmentContents($page_id, $vars->file, $version);
+            $data = $wicked->getAttachmentContents($page_id, basename($vars->file), (int)$version);
             $wicked->logAttachmentDownload($page_id, $vars->file);
         } catch (Wicked_Exception $e) {
             // If we redirect here, we cause an infinite loop with inline
             // attachments.
             header('HTTP/1.1 404 Not Found');
+            header('Content-Type: text/plain');
             echo $e->getMessage();
             exit;
         }