Commit 890b2bf5 authored by Yuliya Bozhko's avatar Yuliya Bozhko Committed by Aaron Wells

Use nosniff header to prevent potential XSS via untrusted files in IE

Bug 1470281

See
  https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
  https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Solution is to add it to file serving code in places where we do forced
download of files.

Change-Id: Ic46d02f65d9ed1cb57fb50e8fab2cbc9f62428a1
Signed-off-by: default avatarYuliya Bozhko <yuliya.bozhko@totaralms.com>
Signed-off-by: Aaron Wells's avatarAaron Wells <aaronw@catalyst.net.nz>
(cherry picked from commit 96b117e5)
parent 85c334d8
......@@ -89,6 +89,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) {
else {
header('Content-Disposition: inline; filename="' . $filename . '"');
}
header('X-Content-Type-Options: nosniff');
if ($options['lifetime'] > 0 && !get_config('nocache')) {
header('Cache-Control: max-age=' . $options['lifetime']);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment