security fix: always force html attachments to be downloaded as oppos…

…ed to be shown inline
tinode · Jan 13, 2024 · f19ab26 · f19ab26
1 parent 759865e
commit f19ab26
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/server/hdl_files.go b/server/hdl_files.go
@@ -134,7 +134,10 @@ func largeFileServe(wrt http.ResponseWriter, req *http.Request) {
 	defer rsc.Close()
 
 	wrt.Header().Set("Content-Type", fd.MimeType)
-	if isAttachment, _ := strconv.ParseBool(req.URL.Query().Get("asatt")); isAttachment {
+	asAttachment, _ := strconv.ParseBool(req.URL.Query().Get("asatt"))
+	// Force download for html files as a security measure.
+	asAttachment = asAttachment || strings.Contains(fd.MimeType, "html")
+	if asAttachment {
 		wrt.Header().Set("Content-Disposition", "attachment")
 	}
 	http.ServeContent(wrt, req, "", fd.UpdatedAt, rsc)