r1292: Prevent XSS attacks by only allowing JPEG, JPG, PNG, and GIF to be displayed...

diff --git a/docs/changes.txt b/docs/changes.txt
index 8a7bb124152a74df6848cd2ee2bc1ec0e13788b0..43755e1522e7ce983965108eea52e36d3d6612c8 100644 (file)
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -17,6 +17,7 @@
 - Fixed a spelling error in search.php when there is no search criteria
 - Adding a quick search feature to the header bar (http://www.bluestatic.org/bugs/showreport.php?bugid=57)
 - Fixed an occurence in header.tpl where the $stylevar align wasn't used, but a hard-coded one was
+- Only allow JPG, JPEG, PNG, and GIF attachments to be displayed inline because all other types could lead to an XSS attack
 
 1.1.3
 ===============================

diff --git a/viewattachment.php b/viewattachment.php
index 2d8fc0feb3fdec98cee04fc8dc4536e648cf6977..e7c1cbd775ee60a758ce4838b543a0f2dde30a85 100755 (executable)
--- a/viewattachment.php
+++ b/viewattachment.php
@@ -46,8 +46,9 @@ if (!can_perform('cangetattach', $bug['product']))
 
 ob_clean();
 ob_end_clean();
-       
-if ($funct->fetch_extension($attachment['filename']) != 'txt')
+
+// only allow certain images to be displayed inline because all other types are a potential XSS issue waiting to happen
+if (in_array(strtolower($funct->fetch_extension($attachment['filename'])), array('jpg', 'jpeg', 'png', 'gif')))
 {
        header("Content-Disposition: inline; filename=$attachment[filename]");
        header("Content-transfer-encoding: binary");