Skip to content
Browse files

security: HTML File Browser Execution (Windows: Firefox/IE)

This addresses an issue reported by Aishwarya Iyer where attached HTML files
are executed in the browser instead of forcing download in Firefox and IE
for Windows specifically. This is caused by an incorrect
`Content-Disposition` set in the `AttachmentFile::download` function.
Instead of attachments having a disposition of `attachment` (which forces
download) they have a disposition of `inline` (which displays the file
contents in the browser). This updates the download function to use whatever
disposition is passed (for S3 plugin), if none it defaults to `attachment`.
In addition, this overwrites the disposition and sets it to `attachment`
after the `$bk->sendRedirectURL()` so that S3 attachments still work and the
issue of an attacker passing their own disposition is mitigated.
  • Loading branch information...
JediKev committed Jul 23, 2019
1 parent 9e5a476 commit 33ed106b1602f559a660a69f931a9d873685d1ba
Showing with 4 additions and 2 deletions.
  1. +4 −2 include/class.file.php
@@ -240,14 +240,16 @@ static function _genUrlSignature($id, $key, $signature, $expires) {
function download($disposition=false, $expires=false) {
$disposition = $disposition ?: 'inline';
$disposition = ($disposition && strcasecmp($disposition, 'inline') == 0
&& strpos($this->getType(), 'image/') !== false)
? 'inline' : 'attachment';
$bk = $this->open();
if ($bk->sendRedirectUrl($disposition))
$ttl = ($expires) ? $expires - Misc::gmtime() : false;
$type = $this->getType() ?: 'application/octet-stream';
Http::download($this->getName(), $type, null, 'inline');
Http::download($this->getName(), $type, null, $disposition);
header('Content-Length: '.$this->getSize());

0 comments on commit 33ed106

Please sign in to comment.
You can’t perform that action at this time.