mirror of
				https://github.com/firefly-iii/firefly-iii.git
				synced 2025-10-22 20:16:22 +00:00 
			
		
		
		
	Fixes #2338
This commit is contained in:
		| @@ -211,13 +211,27 @@ class AttachmentController extends Controller | ||||
|      * @return LaravelResponse | ||||
|      * @throws FireflyException | ||||
|      */ | ||||
|     public function view(Attachment $attachment): LaravelResponse | ||||
|     public function view(Request $request, Attachment $attachment): LaravelResponse | ||||
|     { | ||||
|         if ($this->repository->exists($attachment)) { | ||||
|             $content = $this->repository->getContent($attachment); | ||||
|  | ||||
|             // prevent XSS by adding a new secure header. | ||||
|             $csp = [ | ||||
|                 "default-src 'none'", | ||||
|                 "object-src 'none'", | ||||
|                 "script-src 'none'", | ||||
|                 "style-src 'none'", | ||||
|                 "base-uri 'none'", | ||||
|                 "font-src 'none'", | ||||
|                 "connect-src 'none'", | ||||
|                 "img-src 'none'", | ||||
|                 "manifest-src 'none'", | ||||
|             ]; | ||||
|  | ||||
|             return response()->make( | ||||
|                 $content, 200, [ | ||||
|                             'Content-Security-Policy' => implode('; ', $csp), | ||||
|                             'Content-Type'        => $attachment->mime, | ||||
|                             'Content-Disposition' => 'inline; filename="' . $attachment->filename . '"', | ||||
|                         ] | ||||
|   | ||||
| @@ -85,7 +85,11 @@ class SecureHeaders | ||||
|         if (false === $disableFrameHeader || null === $disableFrameHeader) { | ||||
|             $response->header('X-Frame-Options', 'deny'); | ||||
|         } | ||||
|  | ||||
|         // content security policy may be set elsewhere. | ||||
|         if (!$response->headers->has('Content-Security-Policy')) { | ||||
|             $response->header('Content-Security-Policy', implode('; ', $csp)); | ||||
|         } | ||||
|         $response->header('X-XSS-Protection', '1; mode=block'); | ||||
|         $response->header('X-Content-Type-Options', 'nosniff'); | ||||
|         $response->header('Referrer-Policy', 'no-referrer'); | ||||
|   | ||||
		Reference in New Issue
	
	Block a user