Fix raw endpoint PDF file headers (#19825)

2022-05-28 18:10:14 +03:00 · 2022-05-28 18:10:14 +03:00 · 65e0688a5c
commit 65e0688a5c
parent 410df1fbd4
2 changed files with 12 additions and 4 deletions
--- a/modules/typesniffer/typesniffer.go
+++ b/modules/typesniffer/typesniffer.go
@ -17,8 +17,12 @@ import (
 // Use at most this many bytes to determine Content Type.
 const sniffLen = 1024

-// SvgMimeType MIME type of SVG images.
-const SvgMimeType = "image/svg+xml"
+const (
+	// SvgMimeType MIME type of SVG images.
+	SvgMimeType = "image/svg+xml"
+	// ApplicationOctetStream MIME type of binary files.
+	ApplicationOctetStream = "application/octet-stream"
+)

 var (
 	svgTagRegex      = regexp.MustCompile(`(?si)\A\s*(?:(<!--.*?-->|<!DOCTYPE\s+svg([\s:]+.*?>|>))\s*)*<svg[\s>\/]`)
--- a/routers/common/repo.go
+++ b/routers/common/repo.go
@ -88,10 +88,14 @@ func ServeData(ctx *context.Context, name string, size int64, reader io.Reader)
 		}
 		if (st.IsImage() || st.IsPDF()) && (setting.UI.SVG.Enabled || !st.IsSvgImage()) {
 			ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name))
-			if st.IsSvgImage() {
+			if st.IsSvgImage() || st.IsPDF() {
 				ctx.Resp.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
 				ctx.Resp.Header().Set("X-Content-Type-Options", "nosniff")
-				ctx.Resp.Header().Set("Content-Type", typesniffer.SvgMimeType)
+				if st.IsSvgImage() {
+					ctx.Resp.Header().Set("Content-Type", typesniffer.SvgMimeType)
+				} else {
+					ctx.Resp.Header().Set("Content-Type", typesniffer.ApplicationOctetStream)
+				}
 			}
 		} else {
 			ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, name))