mirror of
https://github.com/mattermost/mattermost.git
synced 2026-04-12 20:47:51 -04:00
322a500092
Changes the default content disposition for WebP attachments from *download* to *inline*. Add WebP codec support side-effect to decode.go. To prevent future issues caused by possible changes in emoji.go.
93 lines
2.2 KiB
Go
93 lines
2.2 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package web
|
|
|
|
import (
|
|
"io"
|
|
"net/http"
|
|
"net/url"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
var UnsafeContentTypes = [...]string{
|
|
"application/javascript",
|
|
"application/ecmascript",
|
|
"text/javascript",
|
|
"text/ecmascript",
|
|
"application/x-javascript",
|
|
"text/html",
|
|
}
|
|
|
|
var MediaContentTypes = [...]string{
|
|
"image/jpeg",
|
|
"image/png",
|
|
"image/bmp",
|
|
"image/gif",
|
|
"image/tiff",
|
|
"image/webp",
|
|
"video/avi",
|
|
"video/mpeg",
|
|
"video/mp4",
|
|
"audio/mpeg",
|
|
"audio/wav",
|
|
}
|
|
|
|
func WriteFileResponse(filename string, contentType string, contentSize int64, lastModification time.Time, webserverMode string, fileReader io.ReadSeeker, forceDownload bool, w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Cache-Control", "private, max-age=86400")
|
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
|
|
|
if contentSize > 0 {
|
|
contentSizeStr := strconv.Itoa(int(contentSize))
|
|
if webserverMode == "gzip" {
|
|
w.Header().Set("X-Uncompressed-Content-Length", contentSizeStr)
|
|
} else {
|
|
w.Header().Set("Content-Length", contentSizeStr)
|
|
}
|
|
}
|
|
|
|
if contentType == "" {
|
|
contentType = "application/octet-stream"
|
|
} else {
|
|
for _, unsafeContentType := range UnsafeContentTypes {
|
|
if strings.HasPrefix(contentType, unsafeContentType) {
|
|
contentType = "text/plain"
|
|
break
|
|
}
|
|
}
|
|
}
|
|
|
|
w.Header().Set("Content-Type", contentType)
|
|
|
|
var toDownload bool
|
|
if forceDownload {
|
|
toDownload = true
|
|
} else {
|
|
isMediaType := false
|
|
|
|
for _, mediaContentType := range MediaContentTypes {
|
|
if strings.HasPrefix(contentType, mediaContentType) {
|
|
isMediaType = true
|
|
break
|
|
}
|
|
}
|
|
|
|
toDownload = !isMediaType
|
|
}
|
|
|
|
filename = url.PathEscape(filename)
|
|
|
|
if toDownload {
|
|
w.Header().Set("Content-Disposition", "attachment;filename=\""+filename+"\"; filename*=UTF-8''"+filename)
|
|
} else {
|
|
w.Header().Set("Content-Disposition", "inline;filename=\""+filename+"\"; filename*=UTF-8''"+filename)
|
|
}
|
|
|
|
// prevent file links from being embedded in iframes
|
|
w.Header().Set("X-Frame-Options", "DENY")
|
|
w.Header().Set("Content-Security-Policy", "Frame-ancestors 'none'")
|
|
|
|
http.ServeContent(w, r, filename, lastModification, fileReader)
|
|
}
|