Skip to content
Permalink
Browse files

Remove File Type Override

Remove file type overwrite previously used to force downloads. This
addresses potential XSS where an attacker could pass "image" resulting in
the file being displayed in line.
  • Loading branch information...
protich committed Jun 13, 2019
1 parent fac1c2d commit 539d343d7395c49ee1d87597fb9c92f5bde159de
Showing with 0 additions and 2 deletions.
  1. +0 −2 include/class.file.php
@@ -247,8 +247,6 @@ function download($disposition=false, $expires=false) {
$ttl = ($expires) ? $expires - Misc::gmtime() : false;
$this->makeCacheable($ttl);
$type = $this->getType() ?: 'application/octet-stream';
if (isset($_REQUEST['overridetype']))
$type = $_REQUEST['overridetype'];
Http::download($this->getName(), $type, null, 'inline');
header('Content-Length: '.$this->getSize());
$this->sendData(false);

0 comments on commit 539d343

Please sign in to comment.
You can’t perform that action at this time.