diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php
index 283a01cfb..3bccdcda4 100644
--- a/app/Http/Controllers/Controller.php
+++ b/app/Http/Controllers/Controller.php
@@ -5,6 +5,7 @@ namespace BookStack\Http\Controllers;
use BookStack\Facades\Activity;
use BookStack\Interfaces\Loggable;
use BookStack\Model;
+use BookStack\Util\WebSafeMimeSniffer;
use finfo;
use Illuminate\Foundation\Bus\DispatchesJobs;
use Illuminate\Foundation\Validation\ValidatesRequests;
@@ -117,8 +118,9 @@ abstract class Controller extends BaseController
protected function downloadResponse(string $content, string $fileName): Response
{
return response()->make($content, 200, [
- 'Content-Type' => 'application/octet-stream',
- 'Content-Disposition' => 'attachment; filename="' . $fileName . '"',
+ 'Content-Type' => 'application/octet-stream',
+ 'Content-Disposition' => 'attachment; filename="' . $fileName . '"',
+ 'X-Content-Type-Options' => 'nosniff',
]);
}
@@ -128,12 +130,13 @@ abstract class Controller extends BaseController
*/
protected function inlineDownloadResponse(string $content, string $fileName): Response
{
- $finfo = new finfo(FILEINFO_MIME_TYPE);
- $mime = $finfo->buffer($content) ?: 'application/octet-stream';
+
+ $mime = (new WebSafeMimeSniffer)->sniff($content);
return response()->make($content, 200, [
- 'Content-Type' => $mime,
- 'Content-Disposition' => 'inline; filename="' . $fileName . '"',
+ 'Content-Type' => $mime,
+ 'Content-Disposition' => 'inline; filename="' . $fileName . '"',
+ 'X-Content-Type-Options' => 'nosniff',
]);
}
diff --git a/app/Util/WebSafeMimeSniffer.php b/app/Util/WebSafeMimeSniffer.php
new file mode 100644
index 000000000..a896bd9e5
--- /dev/null
+++ b/app/Util/WebSafeMimeSniffer.php
@@ -0,0 +1,65 @@
+<?php
+
+namespace BookStack\Util;
+
+use finfo;
+
+/**
+ * Helper class to sniff out the mime-type of content resulting in
+ * a mime-type that's relatively safe to serve to a browser.
+ */
+class WebSafeMimeSniffer
+{
+
+ /**
+ * @var string[]
+ */
+ protected $safeMimes = [
+ 'application/json',
+ 'application/octet-stream',
+ 'application/pdf',
+ 'image/bmp',
+ 'image/jpeg',
+ 'image/png',
+ 'image/gif',
+ 'image/webp',
+ 'image/avif',
+ 'image/heic',
+ 'text/css',
+ 'text/csv',
+ 'text/javascript',
+ 'text/json',
+ 'text/plain',
+ 'video/x-msvideo',
+ 'video/mp4',
+ 'video/mpeg',
+ 'video/ogg',
+ 'video/webm',
+ 'video/vp9',
+ 'video/h264',
+ 'video/av1',
+ ];
+
+ /**
+ * Sniff the mime-type from the given file content while running the result
+ * through an allow-list to ensure a web-safe result.
+ * Takes the content as a reference since the value may be quite large.
+ */
+ public function sniff(string &$content): string
+ {
+ $fInfo = new finfo(FILEINFO_MIME_TYPE);
+ $mime = $fInfo->buffer($content) ?: 'application/octet-stream';
+
+ if (in_array($mime, $this->safeMimes)) {
+ return $mime;
+ }
+
+ [$category] = explode('/', $mime, 2);
+ if ($category === 'text') {
+ return 'text/plain';
+ }
+
+ return 'application/octet-stream';
+ }
+
+}
\ No newline at end of file
diff --git a/tests/Uploads/AttachmentTest.php b/tests/Uploads/AttachmentTest.php
index 60fd370b6..26f092bcc 100644
--- a/tests/Uploads/AttachmentTest.php
+++ b/tests/Uploads/AttachmentTest.php
@@ -9,6 +9,7 @@ use BookStack\Uploads\Attachment;
use BookStack\Uploads\AttachmentService;
use Illuminate\Http\UploadedFile;
use Tests\TestCase;
+use Tests\TestResponse;
class AttachmentTest extends TestCase
{
@@ -44,6 +45,20 @@ class AttachmentTest extends TestCase
return Attachment::query()->latest()->first();
}
+ /**
+ * Create a new upload attachment from the given data.
+ */
+ protected function createUploadAttachment(Page $page, string $filename, string $content, string $mimeType): Attachment
+ {
+ $file = tmpfile();
+ $filePath = stream_get_meta_data($file)['uri'];
+ file_put_contents($filePath, $content);
+ $upload = new UploadedFile($filePath, $filename, $mimeType, null, true);
+
+ $this->call('POST', '/attachments/upload', ['uploaded_to' => $page->id], [], ['file' => $upload], []);
+ return $page->attachments()->latest()->firstOrFail();
+ }
+
/**
* Delete all uploaded files.
* To assist with cleanup.
@@ -305,7 +320,24 @@ class AttachmentTest extends TestCase
// http-foundation/Response does some 'fixing' of responses to add charsets to text responses.
$attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');
$attachmentGet->assertHeader('Content-Disposition', 'inline; filename="upload_test_file.txt"');
+ $attachmentGet->assertHeader('X-Content-Type-Options', 'nosniff');
$this->deleteUploads();
}
+
+ public function test_html_file_access_with_open_forces_plain_content_type()
+ {
+ $page = Page::query()->first();
+ $this->asAdmin();
+
+ $attachment = $this->createUploadAttachment($page, 'test_file.html', '<html></html><p>testing</p>', 'text/html');
+
+ $attachmentGet = $this->get($attachment->getUrl(true));
+ // http-foundation/Response does some 'fixing' of responses to add charsets to text responses.
+ $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');
+ $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="test_file.html"');
+
+ $this->deleteUploads();
+ }
+
}