From 55fd0082aa27a4d3d9dc7194fcef150779c559f7 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 25 Feb 2015 11:45:44 +0100 Subject: [PATCH] Serve all files with a Content-Disposition of 'attachment' via WebDAV MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit As an additional security hardening it's sensible to serve these files with a Content-Disposition of 'attachment'. Currently they are served 'inline' and get a "secure mimetype" assigned in case of potential dangerous files. To test this change ensure that: - [ ] Syncing with the Desktop client still works - [ ] Syncing with the Android client still works - [ ] Syncing with the iOS client still works I verified that the 1.8 OS X and iOS client still work with this change. --- lib/private/connector/sabre/filesplugin.php | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/lib/private/connector/sabre/filesplugin.php b/lib/private/connector/sabre/filesplugin.php index acd0eb6014c..1dbab7cbe31 100644 --- a/lib/private/connector/sabre/filesplugin.php +++ b/lib/private/connector/sabre/filesplugin.php @@ -24,6 +24,7 @@ namespace OC\Connector\Sabre; +use Sabre\DAV\IFile; use \Sabre\DAV\PropFind; use \Sabre\DAV\PropPatch; use \Sabre\HTTP\RequestInterface; @@ -52,6 +53,9 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin { */ private $tree; + /** + * @param \Sabre\DAV\Tree $tree + */ public function __construct(\Sabre\DAV\Tree $tree) { $this->tree = $tree; } @@ -84,6 +88,21 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin { $this->server->on('propPatch', array($this, 'handleUpdateProperties')); $this->server->on('afterBind', array($this, 'sendFileIdHeader')); $this->server->on('afterWriteContent', array($this, 'sendFileIdHeader')); + $this->server->on('afterMethod:GET', [$this,'httpGet']); + } + + /** + * Plugin that adds a 'Content-Disposition: attachment' header to all files + * delivered by SabreDAV. + * @param RequestInterface $request + * @param ResponseInterface $response + */ + function httpGet(RequestInterface $request, ResponseInterface $response) { + // Only handle valid files + $node = $this->tree->getNodeForPath($request->getPath(), 0); + if (!($node instanceof IFile)) return; + + $response->addHeader('Content-Disposition', 'attachment'); } /** -- 2.39.5