]> Sergey Matveev's repositories - public-inbox.git/commit
projects / public-inbox.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: d63bd02) | patch
wwwattach: prevent deep-linking via Referer match
authorEric Wong <e@80x24.org>
Mon, 23 Nov 2020 14:15:35 +0000 (14:15 +0000)
committerEric Wong <e@80x24.org>
Tue, 24 Nov 2020 16:16:17 +0000 (16:16 +0000)
commit46cbc5a7a4ba917bd7154be3b6e6898420ff85d3
tree905ee5cf80452fbe8e963b5c5badfc2e4b8b5e64tree
parentd63bd02ca7ef26190d073896fe063c497ef60d85commit | diff
wwwattach: prevent deep-linking via Referer match

This prevents `<img src=' tags from being used to deep-link
image attachments from HTML outside of the current host and
reduces potential for abuse.

Some browsers (e.g. Firefox) favor content detection and will
display images irrespective of the Content-Type header being
"application/octet-stream", and "Content-Disposition: attachment"
doesn't stop them, either.

Tested with dillo and Firefox.

Reported-by: Leah Neukirchen <leah@vuxu.org>
lib/PublicInbox/WwwAttach.pm diff | blob | history
My patches to https://public-inbox.org/public-inbox.git