Fixes #2338

2025-10-21 11:48:53 +00:00 · 2019-07-16 19:21:58 +02:00
parent a70b7cc7b9
commit 531161db09
2 changed files with 24 additions and 6 deletions
--- a/app/Http/Controllers/AttachmentController.php
+++ b/app/Http/Controllers/AttachmentController.php
@@ -78,7 +78,7 @@ class AttachmentController extends Controller
    /**
     * Destroy attachment.
     *
-     * @param Request    $request
+     * @param Request $request
     * @param Attachment $attachment
     *
     * @return \Illuminate\Http\RedirectResponse|\Illuminate\Routing\Redirector
@@ -131,7 +131,7 @@ class AttachmentController extends Controller
    /**
     * Edit an attachment.
     *
-     * @param Request    $request
+     * @param Request $request
     * @param Attachment $attachment
     *
     * @return \Illuminate\Contracts\View\Factory|\Illuminate\View\View
@@ -178,7 +178,7 @@ class AttachmentController extends Controller
     * Update attachment.
     *
     * @param AttachmentFormRequest $request
-     * @param Attachment            $attachment
+     * @param Attachment $attachment
     *
     * @return RedirectResponse
     */
@@ -211,13 +211,27 @@ class AttachmentController extends Controller
     * @return LaravelResponse
     * @throws FireflyException
     */
-    public function view(Attachment $attachment): LaravelResponse
+    public function view(Request $request, Attachment $attachment): LaravelResponse
    {
        if ($this->repository->exists($attachment)) {
            $content = $this->repository->getContent($attachment);

+            // prevent XSS by adding a new secure header.
+            $csp = [
+                "default-src 'none'",
+                "object-src 'none'",
+                "script-src 'none'",
+                "style-src 'none'",
+                "base-uri 'none'",
+                "font-src 'none'",
+                "connect-src 'none'",
+                "img-src 'none'",
+                "manifest-src 'none'",
+            ];
+
            return response()->make(
                $content, 200, [
+                            'Content-Security-Policy' => implode('; ', $csp),
                            'Content-Type'        => $attachment->mime,
                            'Content-Disposition' => 'inline; filename="' . $attachment->filename . '"',
                        ]