I broke magic byte detection, and missed some Content-Security-Policy opportunities.
git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4304 ed5197a5-7fde-0310-b194-c3ffbd925b24
This commit is contained in:
parent
478e96fc5f
commit
2ca08d21e4
@ -473,7 +473,7 @@ function startsWithBytes(data, bytes) {
|
|||||||
if (data.byteLength >= bytes.length) {
|
if (data.byteLength >= bytes.length) {
|
||||||
let dataBytes = new Uint8Array(data.slice(0, bytes.length));
|
let dataBytes = new Uint8Array(data.slice(0, bytes.length));
|
||||||
for (let i = 0; i < bytes.length; i++) {
|
for (let i = 0; i < bytes.length; i++) {
|
||||||
if (dataBytes[i] != bytes[i] && bytes[i] !== null) {
|
if (dataBytes[i] !== bytes[i] && bytes[i] !== null) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -561,7 +561,7 @@ function guessTypeFromName(path) {
|
|||||||
function guessTypeFromMagicBytes(data) {
|
function guessTypeFromMagicBytes(data) {
|
||||||
for (let magic of k_magic_bytes) {
|
for (let magic of k_magic_bytes) {
|
||||||
if (startsWithBytes(data, magic.bytes)) {
|
if (startsWithBytes(data, magic.bytes)) {
|
||||||
return magic.content_type;
|
return magic.type;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -621,7 +621,9 @@ async function blobHandler(request, response, blobId, uri) {
|
|||||||
let data;
|
let data;
|
||||||
let match;
|
let match;
|
||||||
let query = form.decodeForm(request.query);
|
let query = form.decodeForm(request.query);
|
||||||
let headers = {};
|
let headers = {
|
||||||
|
'Content-Security-Policy': 'sandbox',
|
||||||
|
};
|
||||||
if (query.filename && query.filename.match(/^[A-Za-z0-9\.-]*$/)) {
|
if (query.filename && query.filename.match(/^[A-Za-z0-9\.-]*$/)) {
|
||||||
headers['Content-Disposition'] = `attachment; filename=${query.filename}`;
|
headers['Content-Disposition'] = `attachment; filename=${query.filename}`;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user