From 420e7ec81fedf9ff531c75ece4c80a9b63046ba9 Mon Sep 17 00:00:00 2001 From: Josh Qou <97894002+joshqou@users.noreply.github.com> Date: Thu, 15 Jun 2023 12:28:34 +0100 Subject: [PATCH] Fix unsafe hotserving behaviour for multimedia uploads. (#3113) Return multimedia with a disposition type of attachment instead of inline. NVT#1548992 Signed-off-by: Josh Qou [jqou@icloud.com](mailto:jqou@icloud.com) Co-authored-by: Jon --- mediaapi/routing/download.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/mediaapi/routing/download.go b/mediaapi/routing/download.go index e9f161a3..8fb1b653 100644 --- a/mediaapi/routing/download.go +++ b/mediaapi/routing/download.go @@ -341,6 +341,7 @@ func (r *downloadRequest) addDownloadFilenameToHeaders( } if len(filename) == 0 { + w.Header().Set("Content-Disposition", "attachment") return nil } @@ -376,13 +377,13 @@ func (r *downloadRequest) addDownloadFilenameToHeaders( // that would otherwise be parsed as a control character in the // Content-Disposition header w.Header().Set("Content-Disposition", fmt.Sprintf( - `inline; filename=%s%s%s`, + `attachment; filename=%s%s%s`, quote, unescaped, quote, )) } else { // For UTF-8 filenames, we quote always, as that's the standard w.Header().Set("Content-Disposition", fmt.Sprintf( - `inline; filename*=utf-8''%s`, + `attachment; filename*=utf-8''%s`, url.QueryEscape(unescaped), )) }