Ensure user files are always sent with the Content-Disposition header
This prevents them from being executed in the browser directly Fixes https://jira.coreos.com/browse/QS-84
This commit is contained in:
Joseph Schorr
parent
d405f6f158
commit
d38a1fc851
1 changed files with 2 additions and 1 deletions
|
|
@ -30,7 +30,8 @@ class UserfilesHandlers(View):
|
|||
file_stream = self._storage.stream_read_file(self._locations, path)
|
||||
buffered = BufferedReader(file_stream)
|
||||
file_header_bytes = buffered.peek(1024)
|
||||
return send_file(buffered, mimetype=self._magic.from_buffer(file_header_bytes))
|
||||
return send_file(buffered, mimetype=self._magic.from_buffer(file_header_bytes),
|
||||
as_attachment=True, attachment_filename=file_id)
|
||||
except IOError:
|
||||
logger.exception('Error reading user file')
|
||||
abort(404)
|
||||
|
|
|
|||
Reference in a new issue