Configure a restrictive content-security-policy for attachments

author Tim Düsterhus <duesterhus@woltlab.com>

Tue, 20 Sep 2022 07:18:56 +0000 (09:18 +0200)

committer Tim Düsterhus <duesterhus@woltlab.com>

Tue, 20 Sep 2022 07:21:09 +0000 (09:21 +0200)
author Tim Düsterhus <duesterhus@woltlab.com>
Tue, 20 Sep 2022 07:18:56 +0000 (09:18 +0200)
committer Tim Düsterhus <duesterhus@woltlab.com>
Tue, 20 Sep 2022 07:21:09 +0000 (09:21 +0200)
diff --git a/wcfsetup/install/files/lib/page/AttachmentPage.class.php b/wcfsetup/install/files/lib/page/AttachmentPage.class.php

index 53b6e350070d2aeeae0f5b7b2de61708aa194cbd..a4c7614aa3039868d67ec95dd9e23bb582552272 100644 (file)
--- a/wcfsetup/install/files/lib/page/AttachmentPage.class.php
+++ b/wcfsetup/install/files/lib/page/AttachmentPage.class.php
@@ -171,6 +171,12 @@ class AttachmentPage extends AbstractPage
              'maxAge' => $cacheDuration,
          ]);
  
+        // Prevent <script> execution in the context of the community's domain if
+        // an attacker somehow bypasses 'content-disposition: attachment' for non-inline
+        // MIME-Types. One possibility might be a package extending $inlineMimeTypes
+        // in an unsafe fashion.
+        $this->fileReader->addHeader('content-security-policy', "default-src 'none';");
+
          if ($this->eTag !== null) {
              $this->fileReader->addHeader('ETag', '"' . $this->eTag . '"');
          }
author	Tim Düsterhus <duesterhus@woltlab.com>
	Tue, 20 Sep 2022 07:18:56 +0000 (09:18 +0200)
committer	Tim Düsterhus <duesterhus@woltlab.com>
	Tue, 20 Sep 2022 07:21:09 +0000 (09:21 +0200)