fix: xss when attaching ?dl to the url

This commit is contained in:
neri 2023-04-22 19:08:48 +02:00
parent 99c3f3694b
commit a221d4e618
3 changed files with 15 additions and 15 deletions

22
Cargo.lock generated
View File

@ -265,9 +265,9 @@ dependencies = [
[[package]] [[package]]
name = "aho-corasick" name = "aho-corasick"
version = "0.7.20" version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cc936419f96fa211c1b9166887b38e5e40b19958e5b895be7c1f93adec7071ac" checksum = "67fc08ce920c31afb70f013dcce1bfc3a3195de6a228474e45e1f145b36f8d04"
dependencies = [ dependencies = [
"memchr", "memchr",
] ]
@ -322,9 +322,9 @@ dependencies = [
[[package]] [[package]]
name = "bumpalo" name = "bumpalo"
version = "3.12.0" version = "3.12.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0d261e256854913907f67ed06efbc3338dfe6179796deefc1ff763fc1aee5535" checksum = "9b1ce199063694f33ffb7dd4e0ee620741495c32833cde5aa08f02a0bf96f0c8"
[[package]] [[package]]
name = "bytecount" name = "bytecount"
@ -376,9 +376,9 @@ checksum = "6245d59a3e82a7fc217c5828a6692dbc6dfb63a0c8c90495621f7b9d79704a0e"
[[package]] [[package]]
name = "cpufeatures" name = "cpufeatures"
version = "0.2.6" version = "0.2.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "280a9f2d8b3a38871a3c8a46fb80db65e5e5ed97da80c4d08bf27fb63e35e181" checksum = "3e4c1eaa2012c47becbbad2ab175484c2a84d1185b566fb2cc5b8707343dfe58"
dependencies = [ dependencies = [
"libc", "libc",
] ]
@ -436,7 +436,7 @@ dependencies = [
[[package]] [[package]]
name = "datatrash" name = "datatrash"
version = "2.3.2" version = "2.3.3"
dependencies = [ dependencies = [
"actix-files", "actix-files",
"actix-governor", "actix-governor",
@ -1256,9 +1256,9 @@ dependencies = [
[[package]] [[package]]
name = "regex" name = "regex"
version = "1.7.3" version = "1.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b1f693b24f6ac912f4893ef08244d70b6067480d2f1a46e950c9691e6749d1d" checksum = "af83e617f331cc6ae2da5443c602dfa5af81e517212d9d611a5b3ba1777b5370"
dependencies = [ dependencies = [
"aho-corasick", "aho-corasick",
"memchr", "memchr",
@ -1267,9 +1267,9 @@ dependencies = [
[[package]] [[package]]
name = "regex-syntax" name = "regex-syntax"
version = "0.6.29" version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1" checksum = "a5996294f19bd3aae0453a862ad728f60e6600695733dd5df01da90c54363a3c"
[[package]] [[package]]
name = "ring" name = "ring"

View File

@ -1,6 +1,6 @@
[package] [package]
name = "datatrash" name = "datatrash"
version = "2.3.2" version = "2.3.3"
authors = ["neri"] authors = ["neri"]
edition = "2021" edition = "2021"

View File

@ -156,7 +156,7 @@ fn build_file_response(
.set_content_disposition(content_disposition); .set_content_disposition(content_disposition);
let mut response = file.into_response(req); let mut response = file.into_response(req);
append_security_headers(&mut response, req, download); append_security_headers(&mut response, req);
Ok(response) Ok(response)
} }
@ -172,14 +172,14 @@ fn get_disposition_params(filename: &str) -> Vec<DispositionParam> {
parameters parameters
} }
fn append_security_headers(response: &mut HttpResponse, req: &HttpRequest, download: bool) { fn append_security_headers(response: &mut HttpResponse, req: &HttpRequest) {
// if the browser is trying to fetch this resource in a secure context pretend the reponse is // if the browser is trying to fetch this resource in a secure context pretend the reponse is
// just binary data so it won't be executed // just binary data so it won't be executed
let sec_fetch_mode = req let sec_fetch_mode = req
.headers() .headers()
.get("sec-fetch-mode") .get("sec-fetch-mode")
.and_then(|v| v.to_str().ok()); .and_then(|v| v.to_str().ok());
if !download && sec_fetch_mode.is_some() && sec_fetch_mode != Some("navigate") { if sec_fetch_mode.is_some() && sec_fetch_mode != Some("navigate") {
response.headers_mut().insert( response.headers_mut().insert(
CONTENT_TYPE, CONTENT_TYPE,
HeaderValue::from_str(APPLICATION_OCTET_STREAM.as_ref()) HeaderValue::from_str(APPLICATION_OCTET_STREAM.as_ref())