Force mimetype of output files to be safe
This commit is contained in:
James Allen
10
app.coffee
10
app.coffee
@@ -4,6 +4,8 @@ logger = require "logger-sharelatex"
|
|||||||
logger.initialize("clsi")
|
logger.initialize("clsi")
|
||||||
smokeTest = require "smoke-test-sharelatex"
|
smokeTest = require "smoke-test-sharelatex"
|
||||||
|
|
||||||
|
Path = require "path"
|
||||||
|
|
||||||
Metrics = require "metrics-sharelatex"
|
Metrics = require "metrics-sharelatex"
|
||||||
Metrics.initialize("clsi")
|
Metrics.initialize("clsi")
|
||||||
Metrics.open_sockets.monitor(logger)
|
Metrics.open_sockets.monitor(logger)
|
||||||
@@ -33,7 +35,13 @@ app.delete "/project/:project_id", CompileController.clearCache
|
|||||||
app.get "/project/:project_id/sync/code", CompileController.syncFromCode
|
app.get "/project/:project_id/sync/code", CompileController.syncFromCode
|
||||||
app.get "/project/:project_id/sync/pdf", CompileController.syncFromPdf
|
app.get "/project/:project_id/sync/pdf", CompileController.syncFromPdf
|
||||||
|
|
||||||
staticServer = express.static(Settings.path.compilesDir)
|
staticServer = express.static Settings.path.compilesDir, setHeaders: (res, path, stat) ->
|
||||||
|
if Path.basename(path) == "output.pdf"
|
||||||
|
res.set("Content-Type", "application/pdf")
|
||||||
|
else
|
||||||
|
# Force plain treatment of other file types to prevent hosting of HTTP/JS files
|
||||||
|
# that could be used in same-origin/XSS attacks.
|
||||||
|
res.set("Content-Type", "text/plain")
|
||||||
app.get "/project/:project_id/output/*", (req, res, next) ->
|
app.get "/project/:project_id/output/*", (req, res, next) ->
|
||||||
req.url = "/#{req.params.project_id}/#{req.params[0]}"
|
req.url = "/#{req.params.project_id}/#{req.params[0]}"
|
||||||
staticServer(req, res, next)
|
staticServer(req, res, next)
|
||||||
|
|||||||
Reference in New Issue
Block a user