misc: do not transform, and restrict, uploaded HTML files (#67872)

This commit is contained in:
Frédéric Péters 2022-08-02 11:09:43 +02:00
parent 9a34833f01
commit 69ab751d32
2 changed files with 11 additions and 0 deletions

View File

@ -94,6 +94,11 @@ class FileDirectory(Directory):
else:
raise errors.TraversalError()
# force potential HTML upload to be used as-is (not decorated with theme)
# and with minimal permissions
response.filter = {}
response.set_header('Content-Security-Policy', 'default-src \'none\';')
if file.content_type:
response.set_content_type(file.content_type)
else:

View File

@ -1684,6 +1684,12 @@ class FormPage(Directory, FormTemplateMixin):
if tempfile is None:
raise errors.TraversalError()
response = get_response()
# force potential HTML upload to be used as-is (not decorated with theme)
# and with minimal permissions
response.filter = {}
response.set_header('Content-Security-Policy', 'default-src \'none\';')
if tempfile['content_type']:
response.set_content_type(tempfile['content_type'])
else: