Filter content-type in received headers (fix #254)

brrd · Apr 17, 2020 · 905a05b · 905a05b
1 parent d087933
commit 905a05b
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 3 deletions.
diff --git a/app/index.js b/app/index.js
@@ -7,9 +7,11 @@
 // Squirrel
 if (require("electron-squirrel-startup")) return;
 
-var app = require("electron").app,
+var electron = require("electron"),
+    app = electron.app,
     creator = require.main.require("./creator.js"),
-    dialog = require("electron").dialog;
+    dialog = electron.dialog,
+    session = electron.session;
 
 var abrApp = null,
     osxOpenFilePaths = [];
@@ -66,6 +68,20 @@ app.on("ready", function () {
         }
     }
 
+    // Forbid unexpected Content-Types in received headers in default session (= editor) to protect against stegosploit (#254). Content types which don't start with "image/" will be deleted from header.
+    session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
+        var responseHeaders = details.responseHeaders;
+        var key = Object.keys(responseHeaders).find(k => k.toLowerCase() === "content-type");
+        var contentType = responseHeaders[key] || [];
+
+        var newContentType = contentType.filter(function (type) {
+            return /^image\//.test(type);
+        });
+
+        responseHeaders[key] = newContentType;
+        callback({ cancel: false, responseHeaders: responseHeaders });
+    });
+
     // Load AbrApplication once app is ready
     var AbrApplication = require.main.require("./abr-application.js");
 

diff --git a/app/renderer/cm-extend-autopreview.js b/app/renderer/cm-extend-autopreview.js
@@ -170,7 +170,7 @@ function autopreview (cm, line, types) {
                     aspectRatio = aspectRatio > 100 ? 100 : aspectRatio;
                     // Create element
                     var $parent = $("<div class='autopreview-iframe' style='padding-bottom: " + aspectRatio + "%;'></div>"),
-                        $webview = $("<webview frameborder='0' src='" + url + "'></webview>"),
+                        $webview = $("<webview frameborder='0' partition='autopreview-iframe' src='" + url + "'></webview>"),
                         errorFunc = function () {
                             $webview.remove();
                             $parent.addClass("iframe-error");