No Content-Security-Policy headers on file download responses #173

New Issue

Closed

opened 2026-04-10 16:04:17 +02:00 by shahondin1624 · 0 comments

shahondin1624 commented 2026-04-10 16:04:17 +02:00

Owner

Copy Link

Copy Source

Severity: LOW

Location

lib/Controller/ExportController.php, lib/Controller/ReportController.php

Description

File download responses (CSV, PDF, ZIP) don't set Content-Disposition: attachment explicitly in all cases, which could allow browser rendering of potentially malicious content (CSV injection).

Recommendation

Always set Content-Disposition: attachment; filename="..." and X-Content-Type-Options: nosniff on download responses.

## Severity: LOW ## Location `lib/Controller/ExportController.php`, `lib/Controller/ReportController.php` ## Description File download responses (CSV, PDF, ZIP) don't set `Content-Disposition: attachment` explicitly in all cases, which could allow browser rendering of potentially malicious content (CSV injection). ## Recommendation Always set `Content-Disposition: attachment; filename="..."` and `X-Content-Type-Options: nosniff` on download responses.

shahondin1624 added the backendsecuritypriority:low labels 2026-04-10 16:04:17 +02:00

shahondin1624 referenced this issue from a commit 2026-04-10 16:25:31 +02:00

fix: add X-Content-Type-Options nosniff header to download responses (Closes #173)

shahondin1624 referenced a pull request that will close this issue 2026-04-10 16:25:36 +02:00

fix: add X-Content-Type-Options nosniff header to downloads (Closes #173) #184

shahondin1624 closed this issue 2026-04-10 16:25:41 +02:00

shahondin1624 referenced this issue from a commit 2026-04-10 16:25:42 +02:00

fix: add X-Content-Type-Options nosniff header to downloads (Closes #173) (#184)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/duplicate-sync-methods

fix/missing-database-transactions

fix/find-archived-filtering-in-memory

fix/n-plus-one-queries-member-list

v0.5.2

v0.3.2

v0.3.1

v0.3.0

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

Labels

Clear labels

backend

Backend / PHP work

bug

Bug report

database

Database migrations and schema

documentation

Documentation

enhancement

Enhancement or improvement

epic

Epic / feature-group issues

frontend

Frontend / Vue.js work

integration

Nextcloud integrations (Calendar, Contacts, Files)

priority:high

High priority

priority:low

Low priority

priority:medium

Medium priority

security

Security-related work

testing

Tests and test infrastructure

No Label backend priority:low security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

shahondin1624

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: shahondin1624/Mitgliederverwaltung#173