From 408697accbeda048a9afada0ecb86a8490bcfc66 Mon Sep 17 00:00:00 2001 From: Kieran Date: Fri, 9 Sep 2022 10:42:33 +0100 Subject: [PATCH] prevent hot-linking viruses --- VoidCat/Controllers/DownloadController.cs | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/VoidCat/Controllers/DownloadController.cs b/VoidCat/Controllers/DownloadController.cs index 0552a79..bcafe49 100644 --- a/VoidCat/Controllers/DownloadController.cs +++ b/VoidCat/Controllers/DownloadController.cs @@ -10,18 +10,20 @@ namespace VoidCat.Controllers; [Route("d")] public class DownloadController : Controller { + private readonly VoidSettings _settings; private readonly FileStoreFactory _storage; private readonly FileInfoManager _fileInfo; private readonly IPaymentOrderStore _paymentOrders; private readonly ILogger _logger; public DownloadController(FileStoreFactory storage, ILogger logger, FileInfoManager fileInfo, - IPaymentOrderStore paymentOrderStore) + IPaymentOrderStore paymentOrderStore, VoidSettings settings) { _storage = storage; _logger = logger; _fileInfo = fileInfo; _paymentOrders = paymentOrderStore; + _settings = settings; } [HttpOptions] @@ -110,6 +112,17 @@ public class DownloadController : Controller } } + // prevent hot-linking viruses + var origin = Request.Headers.Origin.Count > 0 ? new Uri(Request.Headers.Origin.First()) : null; + var originWrong = !origin?.Host.Equals(_settings.SiteUrl.Host, StringComparison.InvariantCultureIgnoreCase) ?? + false; + if (meta.VirusScan?.IsVirus == true && originWrong) + { + Response.StatusCode = (int) HttpStatusCode.Redirect; + Response.Headers.Location = $"/{id.ToBase58()}"; + return default; + } + Response.Headers.XFrameOptions = "SAMEORIGIN"; Response.Headers.ContentDisposition = $"inline; filename=\"{meta?.Metadata?.Name}\""; Response.ContentType = meta?.Metadata?.MimeType ?? "application/octet-stream";