dutchcoders/transfer.sh
1
0
Fork 0
mirror of https://github.com/dutchcoders/transfer.sh.git synced 2026-02-03 06:03:25 +00:00
Code Issues 48 Actions Packages Projects Releases Wiki Activity

Add option to disable inline handler #187

New Issue
Closed
opened 2026-01-19 18:29:20 +00:00 by michael · 8 comments
michael commented 2026-01-19 18:29:20 +00:00
Owner
Copy Link

Originally created by @stek29 on GitHub.

inline handler can be considered insecure (especially for self-hosted installations), since it allows direct view of any file type, including html files.
and allowing inline handler for html files leads to stored XSS via user uploaded content.
example: https://transfer.sh/inline/qEksd/test.html

Originally created by @stek29 on GitHub. inline handler can be considered insecure (especially for self-hosted installations), since it allows direct view of any file type, including html files. and allowing inline handler for html files leads to stored XSS via user uploaded content. example: https://transfer.sh/inline/qEksd/test.html
michael commented 2026-01-19 18:29:21 +00:00
Author
Owner
Copy Link

@stek29 commented on GitHub:

Is content type sanitized in any way? MIME types are case insensitive afaik, and from what i see it’s not lowercased anywhere

@stek29 commented on GitHub: Is content type sanitized in any way? MIME types are case insensitive afaik, and from what i see it’s not lowercased anywhere
michael commented 2026-01-19 18:29:21 +00:00
Author
Owner
Copy Link

@paolafrancesca commented on GitHub:

@stek29 I think that instead of disabling the inline handler we could sanitize the html content using bluemonday (https://github.com/microcosm-cc/bluemonday).
It's just a matter of adding at https://github.com/dutchcoders/transfer.sh/blob/master/server/handlers.go#L1011

	if strings.HasPrefix(contentType, "text/html") {
		reader = ioutil.NopCloser(bytes.NewReader(bluemonday.UGCPolicy().SanitizeReader(reader).Bytes()))
	}

What do you think?

any content type other than text/html to sanitize?

@paolafrancesca commented on GitHub: @stek29 I think that instead of disabling the inline handler we could sanitize the html content using bluemonday (https://github.com/microcosm-cc/bluemonday). It's just a matter of adding at https://github.com/dutchcoders/transfer.sh/blob/master/server/handlers.go#L1011 ``` if strings.HasPrefix(contentType, "text/html") { reader = ioutil.NopCloser(bytes.NewReader(bluemonday.UGCPolicy().SanitizeReader(reader).Bytes())) } ``` What do you think? any content type other than `text/html` to sanitize?
michael commented 2026-01-19 18:29:21 +00:00
Author
Owner
Copy Link

@paolafrancesca commented on GitHub:

you are right @stek29 :
https://github.com/dutchcoders/transfer.sh/blob/master/server/handlers.go#L476-L480

I forgot that we use mime.TypeByExtension (that's lowercase) only if content-type header is emtpy
I will apply lowercase here: https://github.com/dutchcoders/transfer.sh/blob/master/server/handlers.go#L386

@paolafrancesca commented on GitHub: you are right @stek29 : https://github.com/dutchcoders/transfer.sh/blob/master/server/handlers.go#L476-L480 I forgot that we use `mime.TypeByExtension` (that's lowercase) only if `content-type` header is emtpy I will apply lowercase here: https://github.com/dutchcoders/transfer.sh/blob/master/server/handlers.go#L386
michael commented 2026-01-19 18:29:21 +00:00
Author
Owner
Copy Link

@paolafrancesca commented on GitHub:

fixed with #347

@paolafrancesca commented on GitHub: fixed with #347
michael commented 2026-01-19 18:29:21 +00:00
Author
Owner
Copy Link

@stek29 commented on GitHub:

@aspacca your solution seems good enough (.Contains html)
I’d still prefer to have an option to disable inline handler completely tbh, but yeah, it’s good enough

@stek29 commented on GitHub: @aspacca your solution seems good enough (.Contains html) I’d still prefer to have an option to disable inline handler completely tbh, but yeah, it’s good enough
michael commented 2026-01-19 18:29:21 +00:00
Author
Owner
Copy Link

@paolafrancesca commented on GitHub:

@stek29 https://github.com/dutchcoders/transfer.sh/pull/355
what do you think?

I also reduced sanitzation to inline content disposition: ie, when you download the file you want it to be the original one

@paolafrancesca commented on GitHub: @stek29 https://github.com/dutchcoders/transfer.sh/pull/355 what do you think? I also reduced sanitzation to inline content disposition: ie, when you download the file you want it to be the original one
michael commented 2026-01-19 18:29:21 +00:00
Author
Owner
Copy Link

@stek29 commented on GitHub:

@aspacca do you mind making a release including these two fixes?

@stek29 commented on GitHub: @aspacca do you mind making a release including these two fixes?
michael commented 2026-01-19 18:29:21 +00:00
Author
Owner
Copy Link

@paolafrancesca commented on GitHub:

done!

@paolafrancesca commented on GitHub: done!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
docker
enhancement
hacktoberfest
help wanted
invalid
question
storage provider
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dutchcoders/transfer.sh#187
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?