• Robert Lyon's avatar
    Stopping SWF files XSS exploitation (Bug #1190788) · 91f15848
    Robert Lyon authored
    By doing two things:
    
    1) Getting the embedded SWF object to set the
     allowscriptaccess = "never" and allownetworking = "never"
    
    2) By forcing a 'download file' link to actually download file
    - this goes for all files now that don't have embedded=1
    in their url.
    
    I've done it this way, having the embedded item have extra url param
    so that if a user tries to manipulate a url by removing params it
    will default to force download.
    
    I've merged the changes I'd done here https://reviews.mahara.org/#/c/3522/2
    
    
    and I've also cleaned up places where the download=1 was used as that is
    not needed now. Now if there are places where we need to embed rather
    than download we add the embedded=1 to the url.
    
    Change-Id: If5290a7c571d06d4178ef2ae5c4c09ed287403b4
    Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
    91f15848
lib.php 19 KB