Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/workhorse/internal/headers/content_headers.go
diff options
context:
space:
mode:
Diffstat (limited to 'workhorse/internal/headers/content_headers.go')
-rw-r--r--workhorse/internal/headers/content_headers.go10
1 files changed, 10 insertions, 0 deletions
diff --git a/workhorse/internal/headers/content_headers.go b/workhorse/internal/headers/content_headers.go
index 8cca3d97e82..854cc8abddd 100644
--- a/workhorse/internal/headers/content_headers.go
+++ b/workhorse/internal/headers/content_headers.go
@@ -43,6 +43,16 @@ const (
func SafeContentHeaders(data []byte, contentDisposition string) (string, string) {
contentType := safeContentType(data)
contentDisposition = safeContentDisposition(contentType, contentDisposition)
+
+ // Set attachments to application/octet-stream since browsers can do
+ // a better job distinguishing certain types (for example: ZIP files
+ // vs. Microsoft .docx files). However, browsers may safely render SVGs even
+ // when Content-Disposition is an attachment but only if the SVG
+ // Content-Type is set. Note that scripts in an SVG file will only be executed
+ // if the file is downloaded separately with an inline Content-Disposition.
+ if attachmentRegex.MatchString(contentDisposition) && !isType(contentType, svgMimeTypeRegex) {
+ contentType = "application/octet-stream"
+ }
return contentType, contentDisposition
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-12 01:17:40 +0300