From 8e3958cf568555574782b14724138dda249d4b2f Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Sun, 19 Nov 2006 09:03:58 +0000 Subject: [PATCH] r1292: Prevent XSS attacks by only allowing JPEG, JPG, PNG, and GIF to be displayed as Content-Type:inline as everything else can be used to execute scripts and such, which would be bad --- docs/changes.txt | 1 + viewattachment.php | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/changes.txt b/docs/changes.txt index 8a7bb12..43755e1 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -17,6 +17,7 @@ - Fixed a spelling error in search.php when there is no search criteria - Adding a quick search feature to the header bar (http://www.bluestatic.org/bugs/showreport.php?bugid=57) - Fixed an occurence in header.tpl where the $stylevar align wasn't used, but a hard-coded one was +- Only allow JPG, JPEG, PNG, and GIF attachments to be displayed inline because all other types could lead to an XSS attack 1.1.3 =============================== diff --git a/viewattachment.php b/viewattachment.php index 2d8fc0f..e7c1cbd 100755 --- a/viewattachment.php +++ b/viewattachment.php @@ -46,8 +46,9 @@ if (!can_perform('cangetattach', $bug['product'])) ob_clean(); ob_end_clean(); - -if ($funct->fetch_extension($attachment['filename']) != 'txt') + +// only allow certain images to be displayed inline because all other types are a potential XSS issue waiting to happen +if (in_array(strtolower($funct->fetch_extension($attachment['filename'])), array('jpg', 'jpeg', 'png', 'gif'))) { header("Content-Disposition: inline; filename=$attachment[filename]"); header("Content-transfer-encoding: binary"); -- 2.22.5