From 96b117e5e37cc4a9f630902c51f1dfeaa45f8a9a Mon Sep 17 00:00:00 2001
From: Yuliya Bozhko <yuliya.bozhko@totaralms.com>
Date: Thu, 4 Jun 2015 08:24:53 +0100
Subject: [PATCH] Use nosniff header to prevent potential XSS via untrusted
 files in IE

Bug 1470281

See
  https://msdn.microsoft.com/en-us/library/gg622941(v=vs.85).aspx
  https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Solution is to add it to file serving code in places where we do forced
download of files.

Change-Id: Ic46d02f65d9ed1cb57fb50e8fab2cbc9f62428a1
Signed-off-by: Yuliya Bozhko <yuliya.bozhko@totaralms.com>
Signed-off-by: Aaron Wells <aaronw@catalyst.net.nz>
---
 htdocs/lib/file.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/htdocs/lib/file.php b/htdocs/lib/file.php
index 2fbee57033..d6cd577f29 100644
--- a/htdocs/lib/file.php
+++ b/htdocs/lib/file.php
@@ -89,6 +89,7 @@ function serve_file($path, $filename, $mimetype, $options=array()) {
     else {
         header('Content-Disposition: inline; filename="' . $filename . '"');
     }
+    header('X-Content-Type-Options: nosniff');
 
     if ($options['lifetime'] > 0 && !get_config('nocache')) {
         header('Cache-Control: max-age=' . $options['lifetime']);
-- 
GitLab