N°8150 - Better picture checking

This commit is contained in:
jf-cbd
2025-02-04 10:49:16 +01:00
parent 3a497524dc
commit bd6ccc55f8

View File

@@ -1166,6 +1166,14 @@ class ObjectController extends BrickController
$aHeaders['Content-Type'] = $oDocument->GetMimeType();
$aHeaders['Content-Disposition'] = (($sOperation === 'display') ? 'inline' : 'attachment').';filename="'.$oDocument->GetFileName().'"';
if (MetaModel::GetImageAttributeCode($sObjectClass) === $sObjectField) {
$sRequestedHash = $oRequest->get('s');
$sComputedHash = md5($oDocument->GetData());
if ($sRequestedHash !== $sComputedHash) {
throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist'));
}
}
// N°4129 - Prevent XSS attacks & other script executions
if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {
$aHeaders['Content-Security-Policy'] = 'sandbox';