Commit 7b9b434b authored by Yuliya Bozhko's avatar Yuliya Bozhko Committed by Aaron Wells
Browse files

Use nosniff header to prevent potential XSS via untrusted files in IE

Bug 1470281

See
  https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
  https://www.owasp.org/index.php/List_of_useful_HTTP_headers



Solution is to add it to file serving code in places where we do forced
download of files.

Change-Id: Ic46d02f65d9ed1cb57fb50e8fab2cbc9f62428a1
Signed-off-by: default avatarYuliya Bozhko <yuliya.bozhko@totaralms.com>
Signed-off-by: Aaron Wells's avatarAaron Wells <aaronw@catalyst.net.nz>
(cherry picked from commit 96b117e5)
parent 539d323f
...@@ -89,6 +89,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) { ...@@ -89,6 +89,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) {
else { else {
header('Content-Disposition: inline; filename="' . $filename . '"'); header('Content-Disposition: inline; filename="' . $filename . '"');
} }
header('X-Content-Type-Options: nosniff');
if ($options['lifetime'] > 0 && !get_config('nocache')) { if ($options['lifetime'] > 0 && !get_config('nocache')) {
header('Cache-Control: max-age=' . $options['lifetime']); header('Cache-Control: max-age=' . $options['lifetime']);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment