Differences From
Artifact [8605ea50bd]:
510 510
511 511 terra http.file_serve_raw(co: &lib.srv.convo, id: lib.mem.ptr(int8))
512 512 var id, idok = lib.math.shorthand.parse(id.ptr, id.ct)
513 513 if not idok then goto e404 end
514 514 var data, mime = co.srv:artifact_load(id)
515 515 if not data then goto e404 end
516 516 do defer data:free() defer mime:free()
517 - lib.net.mg_printf(co.con, 'HTTP/1.1 200 OK\r\nContent-Type: %.*s\r\nContent-Length: %llu\r\n\r\n', mime.ct, mime.ptr, data.ct + 2)
517 + var safemime = mime
518 + -- TODO this is not a satisfactory solution; it's a bandaid on a gaping
519 + -- chest wound. ultimately we need to compile a whitelist of safe mime
520 + -- types as part of mimelib, but that is no small task. for now, this
521 + -- will keep the patient from immediately bleeding out
522 + if mime:cmp(lib.str.plit'text/html') or
523 + mime:cmp(lib.str.plit'text/xml') or
524 + mime:cmp(lib.str.plit'application/xhtml+xml') or
525 + mime:cmp(lib.str.plit'application/vnd.wap.xhtml+xml')
526 + then -- danger will robinson
527 + safemime = lib.str.plit'text/plain'
528 + elseif mime:cmp(lib.str.plit'application/x-shockwave-flash') then
529 + safemime = lib.str.plit'application/octet-stream'
530 + end
531 + lib.net.mg_printf(co.con, "HTTP/1.1 200 OK\r\nContent-Type: %.*s\r\nContent-Length: %llu\r\nContent-Security-Policy: sandbox; default-src 'none'; form-action 'none'; navigate-to 'none';\r\nX-Content-Options: nosniff\r\n\r\n", safemime.ct, safemime.ptr, data.ct + 2)
518 532 lib.net.mg_send(co.con, data.ptr, data.ct)
519 533 lib.net.mg_send(co.con, '\r\n', 2)
520 534 return end
521 535
522 536 ::e404:: do co:complain(404, 'artifact not found', 'no such artifact has been uploaded to this instance') return end
523 537 end
524 538