Use secure mimetype for content delivery

Adds some hardening against potential CSP bypassed.

diff --git a/apps/files/download.php b/apps/files/download.php
index 6b055e99a537dfea6f3b89b946c075f6c112f4c2..664a69c5959dc5638c6060795956ee624e93dfe8 100644 (file)
--- a/apps/files/download.php
+++ b/apps/files/download.php
@@ -34,7 +34,7 @@ if(!\OC\Files\Filesystem::file_exists($filename)) {
        exit;
 }
 
-$ftype=\OC\Files\Filesystem::getMimeType( $filename );
+$ftype=\OC_Helper::getSecureMimeType(\OC\Files\Filesystem::getMimeType( $filename ));
 
 header('Content-Type:'.$ftype);
 OCP\Response::setContentDispositionHeader(basename($filename), 'attachment');

diff --git a/lib/private/files.php b/lib/private/files.php
index 739dae6418005f0fbd127cda4515da70cac91b5b..06fc2dc910917d0210bdd86c11944d74eb289cad 100644 (file)
--- a/lib/private/files.php
+++ b/lib/private/files.php
@@ -49,7 +49,7 @@ class OC_Files {
                        header('Content-Type: application/zip');
                } else {
                        $filesize = \OC\Files\Filesystem::filesize($filename);
-                       header('Content-Type: '.\OC\Files\Filesystem::getMimeType($filename));
+                       header('Content-Type: '.\OC_Helper::getSecureMimeType(\OC\Files\Filesystem::getMimeType($filename)));
                        if ($filesize > -1) {
                                header("Content-Length: ".$filesize);
                        }