diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-02-25 11:45:44 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2015-03-26 20:01:05 +0100 |
| commit | 55fd0082aa27a4d3d9dc7194fcef150779c559f7 (patch) | |
| tree | d9b204ae635b21db7391d0c7c390de65ea555949 /lib/private/connector/sabre/filesplugin.php | |
| parent | c8c722bc6de3a58e10ba42a55a178d3ba9308bae (diff) | |
| download | nextcloud-server-55fd0082aa27a4d3d9dc7194fcef150779c559f7.tar.gz nextcloud-server-55fd0082aa27a4d3d9dc7194fcef150779c559f7.zip | |
Serve all files with a Content-Disposition of 'attachment' via WebDAV
As an additional security hardening it's sensible to serve these files with a Content-Disposition of 'attachment'. Currently they are served 'inline' and get a "secure mimetype" assigned in case of potential dangerous files.
To test this change ensure that:
- [ ] Syncing with the Desktop client still works
- [ ] Syncing with the Android client still works
- [ ] Syncing with the iOS client still works
I verified that the 1.8 OS X and iOS client still work with this change.
Diffstat (limited to 'lib/private/connector/sabre/filesplugin.php')
| -rw-r--r-- | lib/private/connector/sabre/filesplugin.php | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/lib/private/connector/sabre/filesplugin.php b/lib/private/connector/sabre/filesplugin.php index acd0eb6014c..1dbab7cbe31 100644 --- a/lib/private/connector/sabre/filesplugin.php +++ b/lib/private/connector/sabre/filesplugin.php @@ -24,6 +24,7 @@ namespace OC\Connector\Sabre; +use Sabre\DAV\IFile; use \Sabre\DAV\PropFind; use \Sabre\DAV\PropPatch; use \Sabre\HTTP\RequestInterface; @@ -52,6 +53,9 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin { */ private $tree; + /** + * @param \Sabre\DAV\Tree $tree + */ public function __construct(\Sabre\DAV\Tree $tree) { $this->tree = $tree; } @@ -84,6 +88,21 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin { $this->server->on('propPatch', array($this, 'handleUpdateProperties')); $this->server->on('afterBind', array($this, 'sendFileIdHeader')); $this->server->on('afterWriteContent', array($this, 'sendFileIdHeader')); + $this->server->on('afterMethod:GET', [$this,'httpGet']); + } + + /** + * Plugin that adds a 'Content-Disposition: attachment' header to all files + * delivered by SabreDAV. + * @param RequestInterface $request + * @param ResponseInterface $response + */ + function httpGet(RequestInterface $request, ResponseInterface $response) { + // Only handle valid files + $node = $this->tree->getNodeForPath($request->getPath(), 0); + if (!($node instanceof IFile)) return; + + $response->addHeader('Content-Disposition', 'attachment'); } /** |