composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-27 04:28:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/support/2.6' into support/2.7

Browse Source 
# Conflicts:
#	core/config.class.inc.php
#	datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php
#	pages/ajax.render.php
This commit is contained in:
Molkobain
2021-08-18 16:06:07 +02:00
parent 27217815d1 92a9a8c65f
commit 1c983e8093
3 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
View File

@@ -1085,6 +1085,11 @@ class ObjectController extends BrickController
$aHeaders['Content-Type'] = $oDocument->GetMimeType();
$aHeaders['Content-Disposition'] = (($sOperation === 'display') ? 'inline' : 'attachment').';filename="'.$oDocument->GetFileName().'"';
// N°4129 - Prevent XSS attacks & other script executions
if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {
$aHeaders['Content-Security-Policy'] = 'sandbox';
}
return new Response($oDocument->GetData(), Response::HTTP_OK, $aHeaders);
}