brammie15/ReSendit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix file naming sanitisation

Browse Source
This commit is contained in:
Bram
2026-03-23 17:46:27 +01:00
parent 5bcca61d59
commit 82eb9de5f1
4 changed files with 32 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
internal/file/handlers.go
View File

@@ -1,6 +1,7 @@
package file
import (
"ResendIt/internal/util"
"fmt"
"net/http"
"path/filepath"
@@ -77,27 +78,12 @@ func (h *Handler) View(c *gin.Context) {
c.HTML(http.StatusOK, "fileNotFound.html", nil)
return
}
c.Header("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, record.Filename))
name := util.SafeFilename(record.Filename)
c.Header("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name))
c.Header("X-Content-Type-Options", "nosniff")
c.File(record.Path)
}
func safeFilename(name string) string {
// keep it simple: drop control chars and quotes
out := make([]rune, 0, len(name))
for _, r := range name {
if r < 32 || r == 127 || r == '"' || r == '\\' {
continue
}
out = append(out, r)
}
if len(out) == 0 {
return "file"
}
return string(out)
}
func isXSSRisk(filename string) bool {
ext := filepath.Ext(filename)
switch ext {
@@ -116,8 +102,8 @@ func (h *Handler) Download(c *gin.Context) {
c.HTML(http.StatusOK, "fileNotFound.html", nil)
return
}
c.Header("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, record.Filename))
name := util.SafeFilename(record.Filename)
c.Header("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name))
c.Header("X-Content-Type-Options", "nosniff")
//c.Header("Content-Security-Policy", "default-src 'none'; img-src 'self'; media-src 'self'; script-src 'none'; style-src 'none';")
//c.Header("Content-Type", "application/octet-stream")