As an additional security hardening it's sensible to serve these files with a Content-Disposition of 'attachment'. Currently they are served 'inline' and get a "secure mimetype" assigned in case of potential dangerous files. To test this change ensure that: - [ ] Syncing with the Desktop client still works - [ ] Syncing with the Android client still works - [ ] Syncing with the iOS client still works I verified that the 1.8 OS X and iOS client still work with this change.

9 years ago · 55fd0082aa
--- a/lib/private/connector/sabre/filesplugin.php
+++ b/lib/private/connector/sabre/filesplugin.php
@@ -24,6 +24,7 @@

 namespace OC\Connector\Sabre;

 use Sabre\DAV\IFile;
 use \Sabre\DAV\PropFind;
 use \Sabre\DAV\PropPatch;
 use \Sabre\HTTP\RequestInterface;
@@ -52,6 +53,9 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin {
 	 */
 	private $tree;

 	/**
 	 * @param \Sabre\DAV\Tree $tree
 	 */
 	public function __construct(\Sabre\DAV\Tree $tree) {
 		$this->tree = $tree;
 	}
@@ -84,6 +88,21 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin {
 		$this->server->on('propPatch', array($this, 'handleUpdateProperties'));
 		$this->server->on('afterBind', array($this, 'sendFileIdHeader'));
 		$this->server->on('afterWriteContent', array($this, 'sendFileIdHeader'));
 		$this->server->on('afterMethod:GET', [$this,'httpGet']);
 	}

 	/**
 	 * Plugin that adds a 'Content-Disposition: attachment' header to all files
 	 * delivered by SabreDAV.
 	 * @param RequestInterface $request
 	 * @param ResponseInterface $response
 	 */
 	function httpGet(RequestInterface $request, ResponseInterface $response) {
 		// Only handle valid files
 		$node = $this->tree->getNodeForPath($request->getPath(), 0);
 		if (!($node instanceof IFile)) return;

 		$response->addHeader('Content-Disposition', 'attachment');
 	}

 	/**