vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Ensure user files are always sent with the Content-Disposition header

Browse source 
This prevents them from being executed in the browser directly

Fixes https://jira.coreos.com/browse/QS-84
This commit is contained in:
Joseph Schorr 2017-12-06 17:12:00 -05:00
parent d405f6f158
commit d38a1fc851
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
data/userfiles.py
View file

@ -30,7 +30,8 @@ class UserfilesHandlers(View):
file_stream = self._storage.stream_read_file(self._locations, path) file_stream = self._storage.stream_read_file(self._locations, path)
buffered = BufferedReader(file_stream) buffered = BufferedReader(file_stream)
file_header_bytes = buffered.peek(1024) file_header_bytes = buffered.peek(1024)
return send_file(buffered, mimetype=self._magic.from_buffer(file_header_bytes)) return send_file(buffered, mimetype=self._magic.from_buffer(file_header_bytes),
as_attachment=True, attachment_filename=file_id)
except IOError: except IOError:
logger.exception('Error reading user file') logger.exception('Error reading user file')
abort(404) abort(404)