Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-16 15:30:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Security Fix JVN#74210258: Stored XSS.

Browse source 
Thanks to Ryoya Koyama of Mitsui Bussan Secure Directions, Inc and xet7 !
This commit is contained in:
Lauri Ojansivu 2025-10-10 23:06:06 +03:00
parent 2e91a359f5
commit e1fa607f87
4 changed files with 60 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

13
server/routes/legacyAttachments.js
View file

@ -53,7 +53,18 @@ if (Meteor.isServer) {
// Set appropriate headers
res.setHeader('Content-Type', attachment.type || 'application/octet-stream');
res.setHeader('Content-Length', attachment.size || 0);
res.setHeader('Content-Disposition', `attachment; filename="${attachment.name}"`);
// Force attachment disposition for SVG files to prevent XSS attacks
const isSvgFile = attachment.name && attachment.name.toLowerCase().endsWith('.svg');
const disposition = isSvgFile ? 'attachment' : 'attachment'; // Always use attachment for legacy files
res.setHeader('Content-Disposition', `${disposition}; filename="${attachment.name}"`);
// Add security headers for SVG files
if (isSvgFile) {
res.setHeader('Content-Security-Policy', "default-src 'none'; script-src 'none'; object-src 'none';");
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY');
}
// Get GridFS stream for legacy attachment
const fileStream = getOldAttachmentStream(attachmentId);