Serve all files with a Content-Disposition of 'attachment' via WebDAV

As an additional security hardening it's sensible to serve these files with a Content-Disposition of 'attachment'. Currently they are served 'inline' and get a "secure mimetype" assigned in case of potential dangerous files.

To test this change ensure that:

- [ ] Syncing with the Desktop client still works
- [ ] Syncing with the Android client still works
- [ ] Syncing with the iOS client still works

I verified that the 1.8 OS X and iOS client still work with this change.

diff --git a/lib/private/connector/sabre/filesplugin.php b/lib/private/connector/sabre/filesplugin.php
index acd0eb6014ca0bfced0d9447a5930666677bc7c1..1dbab7cbe318e646d59892be16864fb7bd2474dc 100644 (file)
--- a/lib/private/connector/sabre/filesplugin.php
+++ b/lib/private/connector/sabre/filesplugin.php
@@ -24,6 +24,7 @@
 
 namespace OC\Connector\Sabre;
 
+use Sabre\DAV\IFile;
 use \Sabre\DAV\PropFind;
 use \Sabre\DAV\PropPatch;
 use \Sabre\HTTP\RequestInterface;
@@ -52,6 +53,9 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin {
         */
        private $tree;
 
+       /**
+        * @param \Sabre\DAV\Tree $tree
+        */
        public function __construct(\Sabre\DAV\Tree $tree) {
                $this->tree = $tree;
        }
@@ -84,6 +88,21 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin {
                $this->server->on('propPatch', array($this, 'handleUpdateProperties'));
                $this->server->on('afterBind', array($this, 'sendFileIdHeader'));
                $this->server->on('afterWriteContent', array($this, 'sendFileIdHeader'));
+               $this->server->on('afterMethod:GET', [$this,'httpGet']);
+       }
+
+       /**
+        * Plugin that adds a 'Content-Disposition: attachment' header to all files
+        * delivered by SabreDAV.
+        * @param RequestInterface $request
+        * @param ResponseInterface $response
+        */
+       function httpGet(RequestInterface $request, ResponseInterface $response) {
+               // Only handle valid files
+               $node = $this->tree->getNodeForPath($request->getPath(), 0);
+               if (!($node instanceof IFile)) return;
+
+               $response->addHeader('Content-Disposition', 'attachment');
        }
 
        /**