Headline
CVE-2022-0936: Force download of attachments (#1490) · autolab/Autolab@02d76ab
Cross-site Scripting (XSS) - Stored in GitHub repository autolab/autolab prior to 2.8.0.
@@ -44,8 +44,9 @@ def show
flash[:error] = “Error loading #{@attachment.name} from #{@attachment.filename}”
redirect_to([@course, :attachments]) && return
end
# Set to application/octet-stream to force download
send_file(filename, disposition: "inline",
type: @attachment.mime_type, filename: @attachment.filename) && return
type: "application/octet-stream", filename: @attachment.filename) && return
end
action_auth_level :edit, :instructor