|
@@ -3,7 +3,24 @@ Attachments = new FS.Collection('attachments', {
|
|
|
|
|
|
|
|
// XXX Add a new store for cover thumbnails so we don't load big images in
|
|
// XXX Add a new store for cover thumbnails so we don't load big images in
|
|
|
// the general board view
|
|
// the general board view
|
|
|
- new FS.Store.GridFS('attachments'),
|
|
|
|
|
|
|
+ new FS.Store.GridFS('attachments', {
|
|
|
|
|
+ // If the uploaded document is not an image we need to enforce browser
|
|
|
|
|
+ // download instead of execution. This is particularly important for HTML
|
|
|
|
|
+ // files that the browser will just execute if we don't serve them with the
|
|
|
|
|
+ // appropriate `application/octet-stream` MIME header which can lead to user
|
|
|
|
|
+ // data leaks. I imagine other formats (like PDF) can also be attack vectors.
|
|
|
|
|
+ // See https://github.com/wekan/wekan/issues/99
|
|
|
|
|
+ // XXX Should we use `beforeWrite` option of CollectionFS instead of
|
|
|
|
|
+ // collection-hooks?
|
|
|
|
|
+ // We should use `beforeWrite`.
|
|
|
|
|
+ beforeWrite: (fileObj) => {
|
|
|
|
|
+ if (!fileObj.isImage()) {
|
|
|
|
|
+ return {
|
|
|
|
|
+ type: 'application/octet-stream'
|
|
|
|
|
+ };
|
|
|
|
|
+ }
|
|
|
|
|
+ },
|
|
|
|
|
+ }),
|
|
|
],
|
|
],
|
|
|
});
|
|
});
|
|
|
|
|
|
|
@@ -36,23 +53,6 @@ if (Meteor.isServer) {
|
|
|
|
|
|
|
|
// XXX Enforce a schema for the Attachments CollectionFS
|
|
// XXX Enforce a schema for the Attachments CollectionFS
|
|
|
|
|
|
|
|
-Attachments.files.before.insert((userId, doc) => {
|
|
|
|
|
- const file = new FS.File(doc);
|
|
|
|
|
- doc.userId = userId;
|
|
|
|
|
-
|
|
|
|
|
- // If the uploaded document is not an image we need to enforce browser
|
|
|
|
|
- // download instead of execution. This is particularly important for HTML
|
|
|
|
|
- // files that the browser will just execute if we don't serve them with the
|
|
|
|
|
- // appropriate `application/octet-stream` MIME header which can lead to user
|
|
|
|
|
- // data leaks. I imagine other formats (like PDF) can also be attack vectors.
|
|
|
|
|
- // See https://github.com/wekan/wekan/issues/99
|
|
|
|
|
- // XXX Should we use `beforeWrite` option of CollectionFS instead of
|
|
|
|
|
- // collection-hooks?
|
|
|
|
|
- if (!file.isImage()) {
|
|
|
|
|
- file.original.type = 'application/octet-stream';
|
|
|
|
|
- }
|
|
|
|
|
-});
|
|
|
|
|
-
|
|
|
|
|
if (Meteor.isServer) {
|
|
if (Meteor.isServer) {
|
|
|
Attachments.files.after.insert((userId, doc) => {
|
|
Attachments.files.after.insert((userId, doc) => {
|
|
|
Activities.insert({
|
|
Activities.insert({
|
Ghassen Rjab