Skip to content

Commit

Permalink
base inline/attachment logic for CVE-2023-42458 on the media type pro…
Browse files Browse the repository at this point in the history
…per (ignoring parameters and whitespace) [skip ci]
  • Loading branch information
d-maurer committed Sep 27, 2023
1 parent 1aa25a1 commit 6c91b16
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 1 deletion.
4 changes: 4 additions & 0 deletions CHANGES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst

- Update to newest compatible versions of dependencies.

- Base the inline/attachment logic developped for CVE-2023-42458
on the media type proper (ignoring parameters and leading/trailing
whitespace).


5.8.5 (2023-09-21)
------------------
Expand Down
10 changes: 9 additions & 1 deletion src/OFS/Image.py
Original file line number Diff line number Diff line change
Expand Up @@ -474,7 +474,7 @@ def _range_request_handler(self, REQUEST, RESPONSE):
def _should_force_download(self):
# If this returns True, the caller should set a
# Content-Disposition header with filename.
mimetype = self.content_type
mimetype = extract_media_type(self.content_type)
if not mimetype:
return False
if self.use_denylist:
Expand Down Expand Up @@ -1170,3 +1170,11 @@ def __bytes__(self):
_next = self.next

return b''.join(r)


def extract_media_type(content_type):
"""extract the proper media type from *content_type*.
Ignore parameters and leading/trailing whitespace.
"""
return content_type and content_type.split(";", 1)[0].strip()
18 changes: 18 additions & 0 deletions src/OFS/tests/testFileAndImage.py
Original file line number Diff line number Diff line change
Expand Up @@ -433,6 +433,18 @@ def testViewImageOrFile_with_denylist(self):
"attachment; filename*=UTF-8''file.svg",
)

def testViewImageOrFile_with_denylist_and_ct_param(self):
request = self.app.REQUEST
response = request.RESPONSE
self.file.use_denylist = True
self.file.content_type += ";charset=utf-8"
result = self.file.index_html(request, response)
self.assertEqual(result, self.data)
self.assertEqual(
response.getHeader("Content-Disposition"),
"attachment; filename*=UTF-8''file.svg",
)

def testViewImageOrFile_with_empty_denylist(self):
request = self.app.REQUEST
response = request.RESPONSE
Expand All @@ -442,6 +454,12 @@ def testViewImageOrFile_with_empty_denylist(self):
self.assertEqual(result, self.data)
self.assertIsNone(response.getHeader("Content-Disposition"))

def test_extract_media_type(self):
extract = OFS.Image.extract_media_type
self.assertIsNone(extract(None))
self.assertEqual(extract("text/plain"), "text/plain")
self.assertEqual(extract(" text/plain ; charset=utf-8"), "text/plain")


class FileEditTests(Testing.ZopeTestCase.FunctionalTestCase):
"""Browser testing ..Image.File"""
Expand Down

0 comments on commit 6c91b16

Please sign in to comment.