Merge pull request #14488 from owncloud/enhancement/security/inline-disposition

Serve all files with a Content-Disposition of 'attachment' via WebDAV

lib/private/connector/sabre/filesplugin.php

@@ -24,6 +24,7 @@
 
 namespace OC\Connector\Sabre;
 
+use Sabre\DAV\IFile;
 use \Sabre\DAV\PropFind;
 use \Sabre\DAV\PropPatch;
 use \Sabre\HTTP\RequestInterface;
@@ -52,6 +53,9 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin {
 	 */
 	private $tree;
 
+	/**
+	 * @param \Sabre\DAV\Tree $tree
+	 */
 	public function __construct(\Sabre\DAV\Tree $tree) {
 		$this->tree = $tree;
 	}
@@ -84,6 +88,21 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin {
 		$this->server->on('propPatch', array($this, 'handleUpdateProperties'));
 		$this->server->on('afterBind', array($this, 'sendFileIdHeader'));
 		$this->server->on('afterWriteContent', array($this, 'sendFileIdHeader'));
+		$this->server->on('afterMethod:GET', [$this,'httpGet']);
+	}
+
+	/**
+	 * Plugin that adds a 'Content-Disposition: attachment' header to all files
+	 * delivered by SabreDAV.
+	 * @param RequestInterface $request
+	 * @param ResponseInterface $response
+	 */
+	function httpGet(RequestInterface $request, ResponseInterface $response) {
+		// Only handle valid files
+		$node = $this->tree->getNodeForPath($request->getPath());
+		if (!($node instanceof IFile)) return;
+
+		$response->addHeader('Content-Disposition', 'attachment');
 	}
 
 	/**