Added safe mime sniffing to prevent serving HTML
(Amoung other content types) For #3027
This commit is contained in:
parent
5c834f24a6
commit
ae155d6745
3 changed files with 106 additions and 6 deletions
|
@ -5,6 +5,7 @@ namespace BookStack\Http\Controllers;
|
|||
use BookStack\Facades\Activity;
|
||||
use BookStack\Interfaces\Loggable;
|
||||
use BookStack\Model;
|
||||
use BookStack\Util\WebSafeMimeSniffer;
|
||||
use finfo;
|
||||
use Illuminate\Foundation\Bus\DispatchesJobs;
|
||||
use Illuminate\Foundation\Validation\ValidatesRequests;
|
||||
|
@ -117,8 +118,9 @@ abstract class Controller extends BaseController
|
|||
protected function downloadResponse(string $content, string $fileName): Response
|
||||
{
|
||||
return response()->make($content, 200, [
|
||||
'Content-Type' => 'application/octet-stream',
|
||||
'Content-Disposition' => 'attachment; filename="' . $fileName . '"',
|
||||
'Content-Type' => 'application/octet-stream',
|
||||
'Content-Disposition' => 'attachment; filename="' . $fileName . '"',
|
||||
'X-Content-Type-Options' => 'nosniff',
|
||||
]);
|
||||
}
|
||||
|
||||
|
@ -128,12 +130,13 @@ abstract class Controller extends BaseController
|
|||
*/
|
||||
protected function inlineDownloadResponse(string $content, string $fileName): Response
|
||||
{
|
||||
$finfo = new finfo(FILEINFO_MIME_TYPE);
|
||||
$mime = $finfo->buffer($content) ?: 'application/octet-stream';
|
||||
|
||||
$mime = (new WebSafeMimeSniffer)->sniff($content);
|
||||
|
||||
return response()->make($content, 200, [
|
||||
'Content-Type' => $mime,
|
||||
'Content-Disposition' => 'inline; filename="' . $fileName . '"',
|
||||
'Content-Type' => $mime,
|
||||
'Content-Disposition' => 'inline; filename="' . $fileName . '"',
|
||||
'X-Content-Type-Options' => 'nosniff',
|
||||
]);
|
||||
}
|
||||
|
||||
|
|
65
app/Util/WebSafeMimeSniffer.php
Normal file
65
app/Util/WebSafeMimeSniffer.php
Normal file
|
@ -0,0 +1,65 @@
|
|||
<?php
|
||||
|
||||
namespace BookStack\Util;
|
||||
|
||||
use finfo;
|
||||
|
||||
/**
|
||||
* Helper class to sniff out the mime-type of content resulting in
|
||||
* a mime-type that's relatively safe to serve to a browser.
|
||||
*/
|
||||
class WebSafeMimeSniffer
|
||||
{
|
||||
|
||||
/**
|
||||
* @var string[]
|
||||
*/
|
||||
protected $safeMimes = [
|
||||
'application/json',
|
||||
'application/octet-stream',
|
||||
'application/pdf',
|
||||
'image/bmp',
|
||||
'image/jpeg',
|
||||
'image/png',
|
||||
'image/gif',
|
||||
'image/webp',
|
||||
'image/avif',
|
||||
'image/heic',
|
||||
'text/css',
|
||||
'text/csv',
|
||||
'text/javascript',
|
||||
'text/json',
|
||||
'text/plain',
|
||||
'video/x-msvideo',
|
||||
'video/mp4',
|
||||
'video/mpeg',
|
||||
'video/ogg',
|
||||
'video/webm',
|
||||
'video/vp9',
|
||||
'video/h264',
|
||||
'video/av1',
|
||||
];
|
||||
|
||||
/**
|
||||
* Sniff the mime-type from the given file content while running the result
|
||||
* through an allow-list to ensure a web-safe result.
|
||||
* Takes the content as a reference since the value may be quite large.
|
||||
*/
|
||||
public function sniff(string &$content): string
|
||||
{
|
||||
$fInfo = new finfo(FILEINFO_MIME_TYPE);
|
||||
$mime = $fInfo->buffer($content) ?: 'application/octet-stream';
|
||||
|
||||
if (in_array($mime, $this->safeMimes)) {
|
||||
return $mime;
|
||||
}
|
||||
|
||||
[$category] = explode('/', $mime, 2);
|
||||
if ($category === 'text') {
|
||||
return 'text/plain';
|
||||
}
|
||||
|
||||
return 'application/octet-stream';
|
||||
}
|
||||
|
||||
}
|
|
@ -9,6 +9,7 @@ use BookStack\Uploads\Attachment;
|
|||
use BookStack\Uploads\AttachmentService;
|
||||
use Illuminate\Http\UploadedFile;
|
||||
use Tests\TestCase;
|
||||
use Tests\TestResponse;
|
||||
|
||||
class AttachmentTest extends TestCase
|
||||
{
|
||||
|
@ -44,6 +45,20 @@ class AttachmentTest extends TestCase
|
|||
return Attachment::query()->latest()->first();
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a new upload attachment from the given data.
|
||||
*/
|
||||
protected function createUploadAttachment(Page $page, string $filename, string $content, string $mimeType): Attachment
|
||||
{
|
||||
$file = tmpfile();
|
||||
$filePath = stream_get_meta_data($file)['uri'];
|
||||
file_put_contents($filePath, $content);
|
||||
$upload = new UploadedFile($filePath, $filename, $mimeType, null, true);
|
||||
|
||||
$this->call('POST', '/attachments/upload', ['uploaded_to' => $page->id], [], ['file' => $upload], []);
|
||||
return $page->attachments()->latest()->firstOrFail();
|
||||
}
|
||||
|
||||
/**
|
||||
* Delete all uploaded files.
|
||||
* To assist with cleanup.
|
||||
|
@ -305,7 +320,24 @@ class AttachmentTest extends TestCase
|
|||
// http-foundation/Response does some 'fixing' of responses to add charsets to text responses.
|
||||
$attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');
|
||||
$attachmentGet->assertHeader('Content-Disposition', 'inline; filename="upload_test_file.txt"');
|
||||
$attachmentGet->assertHeader('X-Content-Type-Options', 'nosniff');
|
||||
|
||||
$this->deleteUploads();
|
||||
}
|
||||
|
||||
public function test_html_file_access_with_open_forces_plain_content_type()
|
||||
{
|
||||
$page = Page::query()->first();
|
||||
$this->asAdmin();
|
||||
|
||||
$attachment = $this->createUploadAttachment($page, 'test_file.html', '<html></html><p>testing</p>', 'text/html');
|
||||
|
||||
$attachmentGet = $this->get($attachment->getUrl(true));
|
||||
// http-foundation/Response does some 'fixing' of responses to add charsets to text responses.
|
||||
$attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');
|
||||
$attachmentGet->assertHeader('Content-Disposition', 'inline; filename="test_file.html"');
|
||||
|
||||
$this->deleteUploads();
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue