From a221d4e6182464fa293797670ac7f81918d218c7 Mon Sep 17 00:00:00 2001 From: neri Date: Sat, 22 Apr 2023 19:08:48 +0200 Subject: [PATCH] fix: xss when attaching ?dl to the url --- Cargo.lock | 22 +++++++++++----------- Cargo.toml | 2 +- src/download.rs | 6 +++--- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 4f72025..efbce5e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -265,9 +265,9 @@ dependencies = [ [[package]] name = "aho-corasick" -version = "0.7.20" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc936419f96fa211c1b9166887b38e5e40b19958e5b895be7c1f93adec7071ac" +checksum = "67fc08ce920c31afb70f013dcce1bfc3a3195de6a228474e45e1f145b36f8d04" dependencies = [ "memchr", ] @@ -322,9 +322,9 @@ dependencies = [ [[package]] name = "bumpalo" -version = "3.12.0" +version = "3.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0d261e256854913907f67ed06efbc3338dfe6179796deefc1ff763fc1aee5535" +checksum = "9b1ce199063694f33ffb7dd4e0ee620741495c32833cde5aa08f02a0bf96f0c8" [[package]] name = "bytecount" @@ -376,9 +376,9 @@ checksum = "6245d59a3e82a7fc217c5828a6692dbc6dfb63a0c8c90495621f7b9d79704a0e" [[package]] name = "cpufeatures" -version = "0.2.6" +version = "0.2.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "280a9f2d8b3a38871a3c8a46fb80db65e5e5ed97da80c4d08bf27fb63e35e181" +checksum = "3e4c1eaa2012c47becbbad2ab175484c2a84d1185b566fb2cc5b8707343dfe58" dependencies = [ "libc", ] @@ -436,7 +436,7 @@ dependencies = [ [[package]] name = "datatrash" -version = "2.3.2" +version = "2.3.3" dependencies = [ "actix-files", "actix-governor", @@ -1256,9 +1256,9 @@ dependencies = [ [[package]] name = "regex" -version = "1.7.3" +version = "1.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8b1f693b24f6ac912f4893ef08244d70b6067480d2f1a46e950c9691e6749d1d" +checksum = "af83e617f331cc6ae2da5443c602dfa5af81e517212d9d611a5b3ba1777b5370" dependencies = [ "aho-corasick", "memchr", @@ -1267,9 +1267,9 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.6.29" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1" +checksum = "a5996294f19bd3aae0453a862ad728f60e6600695733dd5df01da90c54363a3c" [[package]] name = "ring" diff --git a/Cargo.toml b/Cargo.toml index 6e92af7..70c02bc 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "datatrash" -version = "2.3.2" +version = "2.3.3" authors = ["neri"] edition = "2021" diff --git a/src/download.rs b/src/download.rs index 3b5ce69..e1426df 100644 --- a/src/download.rs +++ b/src/download.rs @@ -156,7 +156,7 @@ fn build_file_response( .set_content_disposition(content_disposition); let mut response = file.into_response(req); - append_security_headers(&mut response, req, download); + append_security_headers(&mut response, req); Ok(response) } @@ -172,14 +172,14 @@ fn get_disposition_params(filename: &str) -> Vec { parameters } -fn append_security_headers(response: &mut HttpResponse, req: &HttpRequest, download: bool) { +fn append_security_headers(response: &mut HttpResponse, req: &HttpRequest) { // if the browser is trying to fetch this resource in a secure context pretend the reponse is // just binary data so it won't be executed let sec_fetch_mode = req .headers() .get("sec-fetch-mode") .and_then(|v| v.to_str().ok()); - if !download && sec_fetch_mode.is_some() && sec_fetch_mode != Some("navigate") { + if sec_fetch_mode.is_some() && sec_fetch_mode != Some("navigate") { response.headers_mut().insert( CONTENT_TYPE, HeaderValue::from_str(APPLICATION_OCTET_STREAM.as_ref())