fix: xss when attaching ?dl to the url
This commit is contained in:
parent
99c3f3694b
commit
a221d4e618
|
@ -265,9 +265,9 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "aho-corasick"
|
||||
version = "0.7.20"
|
||||
version = "1.0.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "cc936419f96fa211c1b9166887b38e5e40b19958e5b895be7c1f93adec7071ac"
|
||||
checksum = "67fc08ce920c31afb70f013dcce1bfc3a3195de6a228474e45e1f145b36f8d04"
|
||||
dependencies = [
|
||||
"memchr",
|
||||
]
|
||||
|
@ -322,9 +322,9 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "bumpalo"
|
||||
version = "3.12.0"
|
||||
version = "3.12.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "0d261e256854913907f67ed06efbc3338dfe6179796deefc1ff763fc1aee5535"
|
||||
checksum = "9b1ce199063694f33ffb7dd4e0ee620741495c32833cde5aa08f02a0bf96f0c8"
|
||||
|
||||
[[package]]
|
||||
name = "bytecount"
|
||||
|
@ -376,9 +376,9 @@ checksum = "6245d59a3e82a7fc217c5828a6692dbc6dfb63a0c8c90495621f7b9d79704a0e"
|
|||
|
||||
[[package]]
|
||||
name = "cpufeatures"
|
||||
version = "0.2.6"
|
||||
version = "0.2.7"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "280a9f2d8b3a38871a3c8a46fb80db65e5e5ed97da80c4d08bf27fb63e35e181"
|
||||
checksum = "3e4c1eaa2012c47becbbad2ab175484c2a84d1185b566fb2cc5b8707343dfe58"
|
||||
dependencies = [
|
||||
"libc",
|
||||
]
|
||||
|
@ -436,7 +436,7 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "datatrash"
|
||||
version = "2.3.2"
|
||||
version = "2.3.3"
|
||||
dependencies = [
|
||||
"actix-files",
|
||||
"actix-governor",
|
||||
|
@ -1256,9 +1256,9 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "regex"
|
||||
version = "1.7.3"
|
||||
version = "1.8.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8b1f693b24f6ac912f4893ef08244d70b6067480d2f1a46e950c9691e6749d1d"
|
||||
checksum = "af83e617f331cc6ae2da5443c602dfa5af81e517212d9d611a5b3ba1777b5370"
|
||||
dependencies = [
|
||||
"aho-corasick",
|
||||
"memchr",
|
||||
|
@ -1267,9 +1267,9 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "regex-syntax"
|
||||
version = "0.6.29"
|
||||
version = "0.7.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1"
|
||||
checksum = "a5996294f19bd3aae0453a862ad728f60e6600695733dd5df01da90c54363a3c"
|
||||
|
||||
[[package]]
|
||||
name = "ring"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
[package]
|
||||
name = "datatrash"
|
||||
version = "2.3.2"
|
||||
version = "2.3.3"
|
||||
authors = ["neri"]
|
||||
edition = "2021"
|
||||
|
||||
|
|
|
@ -156,7 +156,7 @@ fn build_file_response(
|
|||
.set_content_disposition(content_disposition);
|
||||
|
||||
let mut response = file.into_response(req);
|
||||
append_security_headers(&mut response, req, download);
|
||||
append_security_headers(&mut response, req);
|
||||
Ok(response)
|
||||
}
|
||||
|
||||
|
@ -172,14 +172,14 @@ fn get_disposition_params(filename: &str) -> Vec<DispositionParam> {
|
|||
parameters
|
||||
}
|
||||
|
||||
fn append_security_headers(response: &mut HttpResponse, req: &HttpRequest, download: bool) {
|
||||
fn append_security_headers(response: &mut HttpResponse, req: &HttpRequest) {
|
||||
// if the browser is trying to fetch this resource in a secure context pretend the reponse is
|
||||
// just binary data so it won't be executed
|
||||
let sec_fetch_mode = req
|
||||
.headers()
|
||||
.get("sec-fetch-mode")
|
||||
.and_then(|v| v.to_str().ok());
|
||||
if !download && sec_fetch_mode.is_some() && sec_fetch_mode != Some("navigate") {
|
||||
if sec_fetch_mode.is_some() && sec_fetch_mode != Some("navigate") {
|
||||
response.headers_mut().insert(
|
||||
CONTENT_TYPE,
|
||||
HeaderValue::from_str(APPLICATION_OCTET_STREAM.as_ref())
|
||||
|
|
Loading…
Reference in New Issue