Please sign in to comment.
security: HTML File Browser Execution (Windows: Firefox/IE)
This addresses an issue reported by Aishwarya Iyer where attached HTML files are executed in the browser instead of forcing download in Firefox and IE for Windows specifically. This is caused by an incorrect `Content-Disposition` set in the `AttachmentFile::download` function. Instead of attachments having a disposition of `attachment` (which forces download) they have a disposition of `inline` (which displays the file contents in the browser). This updates the download function to use whatever disposition is passed (for S3 plugin), if none it defaults to `attachment`. In addition, this overwrites the disposition and sets it to `attachment` after the `$bk->sendRedirectURL()` so that S3 attachments still work and the issue of an attacker passing their own disposition is mitigated.
- Loading branch information...